diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index 4a22e37c62..61cb120716 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -1,5 +1,8 @@ {:allowed-branchname-matches ["master"] :allowed-filename-matches ["windows/"] + + :guidance-profile "d2b6c2c8-00ee-47f1-8d10-b280cc3434c1" ;; Profile ID for "M365-specific" + :acrolinx-check-settings { "languageId" "en" @@ -33,6 +36,6 @@ Click the scorecard links for each article to review the Acrolinx feedback on gr " **More info about Acrolinx** -You are helping M365 test Acrolinx while we merge to the Microsoft instance. We have set the minimum score to 20 to test that the minimum score script works. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact krowley or go directly to the marveldocs-admins. Thanks for your patience while we continue with roll out! +We have set the minimum score to 20. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact MARVEL PubOps. " } diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f7f89f712e..ef2e397e5b 100644 Binary files a/.openpublishing.redirection.json and b/.openpublishing.redirection.json differ diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md index 5cd357aea7..e2453e5990 100644 --- a/browsers/edge/about-microsoft-edge.md +++ b/browsers/edge/about-microsoft-edge.md @@ -2,7 +2,7 @@ title: Microsoft Edge system and language requirements description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.author: dansimp @@ -17,7 +17,7 @@ ms.date: 10/02/2018 --- # Microsoft Edge system and language requirements ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile +> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). @@ -25,8 +25,8 @@ ms.date: 10/02/2018 Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. ->[!IMPORTANT] ->The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. +> [!IMPORTANT] +> The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. ## Minimum system requirements @@ -49,7 +49,7 @@ Some of the components might also need additional system resources. Check the co ## Supported languages -Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. +Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md index 9a022da181..c8584e28f5 100644 --- a/browsers/edge/group-policies/favorites-management-gp.md +++ b/browsers/edge/group-policies/favorites-management-gp.md @@ -1,43 +1,43 @@ --- title: Microsoft Edge - Favorites group policies description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. -services: -keywords: +services: +keywords: ms.localizationpriority: medium audience: itpro manager: dansimp author: dansimp ms.author: dansimp ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Favorites +# Favorites > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. +You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. ->[!TIP] ->You can find the Favorites under C:\\Users\\<_username_>\\Favorites. +> [!TIP] +> You can find the Favorites under C:\\Users\\<_username_>\\Favorites. You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:       **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** -## Configure Favorites Bar +## Configure Favorites Bar [!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] -## Keep favorites in sync between Internet Explorer and Microsoft Edge -[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] +## Keep favorites in sync between Internet Explorer and Microsoft Edge +[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] ## Prevent changes to Favorites on Microsoft Edge -[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] +[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] -## Provision Favorites +## Provision Favorites [!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md index f1a0929bb3..bd34273cc4 100644 --- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -7,7 +7,7 @@ manager: dansimp ms.author: dansimp author: dansimp ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library @@ -21,11 +21,10 @@ ms.topic: reference Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. ->[!TIP] ->If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. - -**Technology not supported by Microsoft Edge** +> [!TIP] +> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. +**Technology not supported by Microsoft Edge** - ActiveX controls @@ -39,20 +38,19 @@ Microsoft Edge is the default browser experience for Windows 10 and Windows 10 M - Legacy document modes -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. ## Relevant group policies +1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) -1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) +2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) -2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) +3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) -3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) - -4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) +4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md index 3082d3014b..90f6acdac2 100644 --- a/browsers/edge/includes/configure-home-button-include.md +++ b/browsers/edge/includes/configure-home-button-include.md @@ -1,61 +1,59 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/28/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Show home button and load the Start page)* - - -[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | -| Enabled | 3 | 3 | Hide the home button. | - ---- - - ->[!TIP] ->If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Home Button -- **GP name:** ConfigureHomeButton -- **GP element:** ConfigureHomeButtonDropdown -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureHomeButton -- **Value type:** REG_DWORD - -### Related policies - -- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - -- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/28/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +> *Supported versions: Microsoft Edge on Windows 10, version 1809*
+> *Default setting: Disabled or not configured (Show home button and load the Start page)* + + +[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | +| Enabled | 3 | 3 | Hide the home button. | + +--- + + +> [!TIP] +> If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
+ +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Home Button +- **GP name:** ConfigureHomeButton +- **GP element:** ConfigureHomeButtonDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +
diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md index a86cf568ce..273b7fdea4 100644 --- a/browsers/edge/includes/configure-open-edge-with-include.md +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -1,68 +1,63 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled (A specific page or pages)* - -[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - -**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. - -**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

- -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| -| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | -| Enabled | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the previous pages. | -| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | - ---- - - ->[!TIP] ->If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Open Microsoft Edge With -- **GP name:** ConfigureOpenMicrosoftEdgeWith -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureOpenEdgeWith -- **Value type:** REG_DWORD - -### Related policies - -- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - -- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - - - - - ---- +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +> *Supported versions: Microsoft Edge on Windows 10, version 1809*
+> *Default setting: Enabled (A specific page or pages)* + +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. + +**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

+ +### Supported values + +| Group Policy | MDM | Registry | Description | +|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| +| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | +| Enabled | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the previous pages. | +| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | + +--- + +> [!TIP] +> If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
+ + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Open Microsoft Edge With +- **GP name:** ConfigureOpenMicrosoftEdgeWith +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureOpenEdgeWith +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] +- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + + +--- diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index fdb0016715..739f15e3be 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -1,52 +1,53 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Customizable)* - -[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] - - ->[!IMPORTANT] ->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. - -### Supported values - -| Group Policy | Description | Most restricted | -|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
| ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Provision Favorites -- **GP name:** ConfiguredFavorites -- **GP element:** ConfiguredFavoritesPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites -- **Value name:** ConfiguredFavorites -- **Value type:** REG_SZ - -### Related policies -[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +> *Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+> *Default setting: Disabled or not configured (Customizable)* + +[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] + + +> [!IMPORTANT] +> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. + +### Supported values + +| Group Policy | Description | Most restricted | +|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | +| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
| ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Provision Favorites +- **GP name:** ConfiguredFavorites +- **GP element:** ConfiguredFavoritesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** ConfiguredFavorites +- **Value type:** REG_SZ + +### Related policies +[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +
diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index 2d8195f03e..0f909d31d7 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -1,62 +1,63 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured* - -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] - ->[!TIP] ->Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Send all intranet sites to Internet Explorer 11 -- **GP name:** SendIntranetTraffictoInternetExplorer -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** SendIntranetTraffictoInternetExplorer -- **Value type:** REG_DWORD - -### Related Policies -- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] - -- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] - - -### Related topics -- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. - -- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. - -- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +> *Supported versions: Microsoft Edge on Windows 10*
+> *Default setting: Disabled or not configured* + +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + +> [!TIP] +> Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Send all intranet sites to Internet Explorer 11 +- **GP name:** SendIntranetTraffictoInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** SendIntranetTraffictoInternetExplorer +- **Value type:** REG_DWORD + +### Related Policies +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + +### Related topics +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. + +- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index c4141688d8..8249262926 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -1,8 +1,8 @@ --- title: Deploy Microsoft Edge Legacy kiosk mode description: Microsoft Edge Legacy kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge Legacy kiosk mode, you must configure Microsoft Edge Legacy as an application in assigned access. -ms.assetid: -ms.reviewer: +ms.assetid: +ms.reviewer: audience: itpro manager: dansimp author: dansimp @@ -16,28 +16,28 @@ ms.date: 01/17/2020 # Deploy Microsoft Edge Legacy kiosk mode ->Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later ->Professional, Enterprise, and Education +> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later +> Professional, Enterprise, and Education > [!NOTE] > You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode). In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode. -In this topic, you'll learn: +In this topic, you'll learn: - How to configure the behavior of Microsoft Edge Legacy when it's running in kiosk mode with assigned access. -- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices. -- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service. +- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices. +- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service. -At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. +At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. ## Kiosk mode configuration types ->**Policy** = Configure kiosk mode (ConfigureKioskMode) +> **Policy** = Configure kiosk mode (ConfigureKioskMode) -Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. +Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. - Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image) @@ -50,9 +50,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend ### Important things to note before getting started -- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device. +- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device. -- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks. +- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks. - Microsoft Edge Legacy kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge Legacy resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own. @@ -67,7 +67,7 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3). -### Supported configuration types +### Supported configuration types [!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)] @@ -75,9 +75,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge Legacy kiosk mode: -- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. +- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. -- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). +- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). ### Prerequisites @@ -89,14 +89,14 @@ Now that you're familiar with the different kiosk mode configurations and have t - URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page. - _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge Legacy: - + ``` Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge ``` ### Setup required for Microsoft Edge Legacy kiosk mode -When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge. +When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge. To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take one of the following actions: @@ -104,11 +104,11 @@ To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take on - To prevent Microsoft Edge Stable channel from being installed on your kiosk devices deploy the Microsoft Edge [Allow installation default](https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies#installdefault) policy for Stable channel or consider using the [Blocker toolkit](https://docs.microsoft.com/DeployEdge/microsoft-edge-blocker-toolkit) to disable automatic delivery of Microsoft Edge. > [!NOTE] -> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge). +> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge). ### Use Windows Settings -Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. +Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. 1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**. @@ -120,9 +120,9 @@ Windows Settings is the simplest and the only way to set up one or a couple of s 5. Select how Microsoft Edge Legacy displays when running in kiosk mode: - - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data. + - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data. - - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data. + - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data. 6. Select **Next**. @@ -136,23 +136,23 @@ Windows Settings is the simplest and the only way to set up one or a couple of s 11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration. -**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device using Windows Settings. +**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device using Windows Settings. -**_What's next?_** +**_What's next?_** - User your new kiosk device.

OR

- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge Legacy**. ---- +--- ### Use Microsoft Intune or other MDM service With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge Legacy kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add). ->[!IMPORTANT] ->If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. +> [!IMPORTANT] +> If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. 1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. @@ -166,7 +166,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - + **_Congratulations!_**

You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service. @@ -177,7 +177,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur ## Supported policies for kiosk mode -Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). +Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). Make sure to check with your provider for instructions. @@ -251,18 +251,18 @@ Make sure to check with your provider for instructions.        ![Not supported](images/148766.png) = Not applicable or not supported
       ![Supported](images/148767.png) = Supported ---- +--- ## Feature comparison of kiosk mode and kiosk browser app In the following table, we show you the features available in both Microsoft Edge Legacy kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. -| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** | +| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** | |-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:| | Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | | Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Allow/Block URL support | ![Not Supported](images/148766.png) ![Supported](images/148767.png) | +| Allow/Block URL support | ![Not Supported](images/148766.png) | ![Supported](images/148767.png) | | Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | | Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | @@ -280,6 +280,6 @@ To prevent access to unwanted websites on your kiosk device, use Windows Defende ## Provide feedback or get support -To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. +To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. **_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md index 91065aa687..35f4b5ac73 100644 --- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -1,12 +1,13 @@ --- author: dansimp ms.author: dansimp -ms.date: 10/02/2018 +ms.date: 04/23/2020 ms.reviewer: -audience: itpro manager: dansimp +audience: itpro +manager: dansimp ms.prod: edge ms.topic: include --- -[Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy): -This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +[Microsoft browser extension policy](https://docs.microsoft.com/legal/microsoft-edge/microsoft-browser-extension-policy): +This article describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content these browsers display. Techniques that aren't explicitly listed in this article are considered to be **unsupported**. diff --git a/browsers/edge/web-app-compat-toolkit.md b/browsers/edge/web-app-compat-toolkit.md index 8ec157e607..00e7a02d51 100644 --- a/browsers/edge/web-app-compat-toolkit.md +++ b/browsers/edge/web-app-compat-toolkit.md @@ -1,6 +1,6 @@ --- title: Web Application Compatibility lab kit -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp description: Learn how to use the web application compatibility toolkit for Microsoft Edge. @@ -14,7 +14,7 @@ ms.localizationpriority: high # Web Application Compatibility lab kit ->Updated: October, 2017 +> Updated: October, 2017 Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility. @@ -22,7 +22,7 @@ The Web Application Compatibility Lab Kit is a primer for the features and techn The Web Application Compatibility Lab Kit includes: -- A pre-configured Windows 7 and Windows 10 virtual lab environment with: +- A pre-configured Windows 7 and Windows 10 virtual lab environment with: - Windows 7 Enterprise Evaluation - Windows 10 Enterprise Evaluation (version 1607) - Enterprise Mode Site List Manager @@ -36,10 +36,10 @@ Depending on your environment, your web apps may "just work” using the methods There are two versions of the lab kit available: -- Full version (8 GB) - includes a complete virtual lab environment +- Full version (8 GB) - includes a complete virtual lab environment - Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system -The Web Application Compatibility Lab Kit is also available in the following languages: +The Web Application Compatibility Lab Kit is also available in the following languages: - Chinese (Simplified) - Chinese (Traditional) @@ -48,11 +48,11 @@ The Web Application Compatibility Lab Kit is also available in the following lan - Italian - Japanese - Korean -- Portuguese (Brazil) +- Portuguese (Brazil) - Russian - Spanish [DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab) ->[!TIP] ->Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. +> [!TIP] +> Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md index cbfc5f11b5..867bb143b8 100644 --- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp --- @@ -17,16 +17,16 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. ->[!Important] ->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. **To create a new change request** 1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. @@ -36,7 +36,7 @@ Employees assigned to the Requester role can create a change request. A change r 2. Fill out the required fields, based on the group and the app, including: - **Group name.** Select the name of your group from the dropdown box. - + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. @@ -58,16 +58,16 @@ Employees assigned to the Requester role can create a change request. A change r - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). - + 4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. - + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. 5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. - + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. ## Next steps -After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md). diff --git a/browsers/enterprise-mode/enterprise-mode-features-include.md b/browsers/enterprise-mode/enterprise-mode-features-include.md index 8090fc9ba8..9da0e79778 100644 --- a/browsers/enterprise-mode/enterprise-mode-features-include.md +++ b/browsers/enterprise-mode/enterprise-mode-features-include.md @@ -1,4 +1,5 @@ ### Enterprise Mode features + Enterprise Mode includes the following features: - **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. @@ -8,9 +9,9 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso - **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. - >[!Important] - >All centrally-made decisions override any locally-made choices. + > [!Important] + > All centrally-made decisions override any locally-made choices. - **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. -- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. \ No newline at end of file +- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md index a72f720a3f..3e06b8b806 100644 --- a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp --- @@ -17,18 +17,18 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) ->[!Important] ->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: -- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. - **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md index 22464cc569..31961c97a1 100644 --- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -1,22 +1,23 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. - ->[!IMPORTANT] ->Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. - -1. In the Enterprise Mode Site List Manager, click **File \> Import**. - -2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` - -1. Click **Open**. - -2. Review the alert message about all of your entries being overwritten and click **Yes**. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. + +> [!IMPORTANT] +> Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. + +1. In the Enterprise Mode Site List Manager, click **File \> Import**. + +2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` + +1. Click **Open**. + +2. Review the alert message about all of your entries being overwritten and click **Yes**. diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md index 04470d33af..407e07bf91 100644 --- a/browsers/includes/interoperability-goals-enterprise-guidance.md +++ b/browsers/includes/interoperability-goals-enterprise-guidance.md @@ -26,8 +26,8 @@ You must continue using IE11 if web apps use any of the following: If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. ->[!TIP] ->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). +> [!TIP] +> If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). |Technology |Why it existed |Why we don't need it anymore | @@ -38,4 +38,3 @@ If you have uninstalled IE11, you can download it from the Microsoft Store or th --- - diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md index 28a0957588..060f6ffb99 100644 --- a/browsers/internet-explorer/TOC.md +++ b/browsers/internet-explorer/TOC.md @@ -47,6 +47,7 @@ #### [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md) #### [Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) #### [Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) +#### [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md) ### [Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md) #### [Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md) ##### [Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md) @@ -187,5 +188,4 @@ ### [Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md) ## KB Troubleshoot -### [Clear the Internet Explorer cache from a command line](kb-support/clear-ie-cache-from-command-line.md) ### [Internet Explorer and Microsoft Edge FAQ for IT Pros](kb-support/ie-edge-faqs.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index 46a8edef5e..0977b87b94 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -7,7 +7,8 @@ author: dansimp ms.prod: ie11 ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b ms.reviewer: -audience: itpro manager: dansimp +audience: itpro +manager: dansimp ms.author: dansimp title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) ms.sitesec: library @@ -57,16 +58,20 @@ You can add individual sites to your compatibility list by using the Enterprise 5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. - - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. + - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), this option will open sites in Internet Explorer mode. - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. - **None**. Opens in whatever browser the employee chooses. -6. Click **Save** to validate your website and to add it to the site list for your enterprise.

+6. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), and you have sites that still need to opened in the standalone Internet Explorer 11 application, you can check the box for **Standalone IE**. This checkbox is only relevant when associated to 'Open in' IE11. Checking the box when 'Open In' is set to MSEdge or None will not change browser behavior. + +7. The checkbox **Allow Redirect** applies to the treatment of server side redirects. If you check this box, server side redirects will open in the browser specified by the open-in tag. For more information, see [here](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance#updated-schema-attributes). + +8. Click **Save** to validate your website and to add it to the site list for your enterprise.

If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. -7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+9. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). ## Next steps diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md index d15192b9d3..278408ab38 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.author: dansimp @@ -18,16 +18,16 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. ->[!Important] ->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. **To create a new change request** 1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. @@ -37,7 +37,7 @@ Employees assigned to the Requester role can create a change request. A change r 2. Fill out the required fields, based on the group and the app, including: - **Group name.** Select the name of your group from the dropdown box. - + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. @@ -59,16 +59,17 @@ Employees assigned to the Requester role can create a change request. A change r - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). - + 4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. - + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. 5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. - + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. ## Next steps -After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. + +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png b/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png index d2508016be..7626296e87 100644 Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png and b/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png differ diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md new file mode 100644 index 0000000000..bb22b43b3f --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md @@ -0,0 +1,47 @@ +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: How to use Site List Manager to review neutral sites for IE mode +author: dansimp +ms.prod: ie11 +ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b +ms.reviewer: +audience: itpro +manager: dansimp +ms.author: dansimp +title: Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager +ms.sitesec: library +ms.date: 04/02/2020 +--- + +# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8 +- Windows Server 2012 R2 +- Microsoft Edge version 77 or later + +> [!NOTE] +> This feature is available on the Enterprise Mode Site List Manager version 11.0. + +## Overview + +While converting your site from v.1 schema to v.2 schema using the latest version of the Enterprise Mode Site List Manager, sites with the *doNotTransition=true* in v.1 convert to *open-in=None* in the v.2 schema, which is characterized as a "neutral site". This is the expected behavior for conversion unless you are using Internet Explorer mode (IE mode). When IE mode is enabled, only authentication servers that are used for modern and legacy sites should be set as neutral sites. For more information, see [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites). Otherwise, a site meant to open in Edge might potentially be tagged as neutral, which results in inconsistent experiences for users. + +The Enterprise Mode Site List Manager provides the ability to flag sites that are listed as neutral sites, but might have been added in error. This check is automatically performed when you are converting from v.1 to v.2 through the tool. This check might flag sites even if there was no prior schema conversion. + +## Flag neutral sites + +To identify neutral sites to review: + +1. In the Enterprise Mode Site List Manager (schema v.2), click **File > Flag neutral sites**. +2. If selecting this option has no effect, there are no sites that needs to be reviewed. Otherwise, you will see a message **"Engine neutral sites flagged for review"**. When a site is flagged, you can assess if the site needs to be removed entirely, or if it needs the open-in attribute changed from None to MSEdge. +3. If you believe that a flagged site is correctly configured, you can edit the site entry and click on **"Clear Flag"**. Once you select that option for a site, it will not be flagged again. + +## Related topics + +- [About IE Mode](https://docs.microsoft.com/deployedge/edge-ie-mode) +- [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites) diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md index 58ffc300ce..3cbc140f4b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md @@ -26,7 +26,7 @@ ms.date: 12/04/2017 - Windows Server 2012 R2 - Windows Server 2008 R2 with Service Pack 1 (SP1) -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. @@ -49,12 +49,14 @@ The following topics give you more information about the things that you can do |[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). | |[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md) |How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion. This topic applies to the Enterprise Mode Site List Manager version 11.0 or later. | |[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | |[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +| [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md)|How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion.

This topic applies to the latest version of the Enterprise Mode Site List Manager. ## Related topics diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md index 8a161b2ffb..a3fce1731d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.author: dansimp @@ -18,18 +18,18 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) ->[!Important] ->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: -- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. - **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md index da309b68cd..1a2c6fc17a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md @@ -20,11 +20,11 @@ ms.date: 10/25/2018 **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). @@ -33,7 +33,7 @@ If you have specific websites and apps that you know have compatibility problems Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. ->[!TIP] +> [!TIP] > If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. @@ -54,8 +54,8 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso - **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. - >[!Important] - >All centrally-made decisions override any locally-made choices. + > [!Important] + > All centrally-made decisions override any locally-made choices. - **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. @@ -121,11 +121,11 @@ There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and - [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. - We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). - [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. - If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md index a4cb639bc5..e35b64b8a4 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md @@ -5,8 +5,8 @@ description: Get answers to commonly asked questions about the Internet Explorer author: dansimp ms.author: dansimp ms.prod: ie11 -ms.assetid: -ms.reviewer: +ms.assetid: +ms.reviewer: audience: itpro manager: dansimp title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions @@ -16,50 +16,50 @@ ms.date: 05/10/2018 # Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions -Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. +Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. ->[!Important] ->If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. +> [!Important] +> If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. -- [Automatic updates delivery process](#automatic-updates-delivery-process) +- [Automatic updates delivery process](#automatic-updates-delivery-process) -- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) +- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) -- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) +- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) ## Automatic Updates delivery process -**Q. Which users will receive Internet Explorer 11 as an important update?** -A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). - -**Q. When is the Blocker Toolkit available?** -A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - -**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** -A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). - -**Q. How long does the blocker mechanism work?** -A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. - -**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** -A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. - +**Q. Which users will receive Internet Explorer 11 as an important update?** +A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). + +**Q. When is the Blocker Toolkit available?** +A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + +**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** +A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). + +**Q. How long does the blocker mechanism work?** +A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. + +**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** +A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. + The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or -other update management solution. - -**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** +other update management solution. + +**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. ## How the Internet Explorer 11 Blocker Toolkit works -**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** -A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. - -**Q. What’s the registry key used to block delivery of Internet Explorer 11?** -A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 - -**Q. What’s the registry key name and values?** +**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** +A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. + +**Q. What’s the registry key used to block delivery of Internet Explorer 11?** +A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 + +**Q. What’s the registry key name and values?** The registry key name is **DoNotAllowIE11**, where: - A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option. @@ -67,23 +67,23 @@ The registry key name is **DoNotAllowIE11**, where: - Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a manual update. -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** -A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. - -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** -A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. - -**Q. How does the provided script work?** +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** +A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** +A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. + +**Q. How does the provided script work?** A. The script accepts one of two command line options: - **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates. - **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates. -**Q. What’s the ADM template file used for?** -A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. - -**Q. Is the tool localized?** +**Q. What’s the ADM template file used for?** +A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. + +**Q. Is the tool localized?** A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. ## Internet Explorer 11 Blocker Toolkit and other update services @@ -91,17 +91,17 @@ A. No. The tool isn’t localized, it’s only available in English (en-us). How **Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center. -**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** -A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. - -**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** +**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** +A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. + +**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** A. You only need to change your settings if: -- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. +- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. -and- -- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. +- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. -and- @@ -112,10 +112,10 @@ If these scenarios apply to your company, see [Internet Explorer 11 delivery thr ## Additional resources -- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) -- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) -- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) +- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) -- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index 3187f8b507..29b8c0ceca 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -14,12 +14,12 @@ manager: dansimp # Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide -The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. +The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices. ->[!IMPORTANT] ->Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary. +> [!IMPORTANT] +> Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary. ## Included technology @@ -41,7 +41,7 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 ## Related topics - [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) -- [Download IEAK 11](ieak-information-and-downloads.md) +- [Download IEAK 11](ieak-information-and-downloads.md) - [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 296dec1688..ea1f1cb9e1 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -6,7 +6,7 @@ author: dansimp ms.author: dansimp ms.prod: ie11 ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) @@ -21,8 +21,8 @@ In addition to the Software License Terms for the Internet Explorer Administrati During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment. - **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website. - >[!IMPORTANT] - >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. + > [!IMPORTANT] + > Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. - **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment. @@ -64,10 +64,10 @@ During installation, you must pick a version of IEAK 11, either **External** or Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. -- **External Distribution** +- **External Distribution** This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers). -- **Internal Distribution** +- **Internal Distribution** This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet. The table below identifies which customizations you may or may not perform based on the mode you selected. @@ -100,8 +100,8 @@ Support for some of the Internet Explorer settings on the wizard pages varies de Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. -- **External Distribution** +- **External Distribution** You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). -- **Internal Distribution - corporate intranet** +- **Internal Distribution - corporate intranet** The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. diff --git a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md deleted file mode 100644 index 0031c6792e..0000000000 --- a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md +++ /dev/null @@ -1,137 +0,0 @@ ---- -title: Clear the Internet Explorer cache from a command line -description: Introduces command-line commands and a sample batch file for clearing the IE cache. -audience: ITPro -manager: msmets -author: ramakoni1 -ms.author: ramakoni -ms.reviewer: ramakoni, DEV_Triage -ms.prod: internet-explorer -ms.technology: -ms.topic: kb-support -ms.custom: CI=111020 -ms.localizationpriority: Normal -# localization_priority: medium -# ms.translationtype: MT -ms.date: 01/23/2020 ---- -# How to clear Internet Explorer cache by using the command line - -This article outlines the procedure to clear the Internet Explorer cache by using the command line. - -## Command line commands to clear browser cache - -1. Delete history from the Low folder - `del /s /q C:\Users\\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah` - -2. Delete history - `RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 1` - -3. Delete cookies - `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2` - -4. Delete temporary internet files - `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8` - -5. Delete form data - `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16` - -6. Delete stored passwords - `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32` - -7. Delete all - `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255` - -8. Delete files and settings stored by add-ons - `InetCpl.cpl,ClearMyTracksByProcess 4351` - -If you upgraded from a previous version of Internet Explorer, you have to use the following commands to delete the files from older versions: -`RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9` - -Command to reset Internet Explorer settings: -`Rundll32.exe inetcpl.cpl ResetIEtoDefaults` - -## Sample batch file to clear Internet Explorer cache files - -A sample batch file is available that you can use to clear Internet Explorer cache files and other items. You can download the file from [https://msdnshared.blob.core.windows.net/media/2017/09/ClearIE_Cache.zip](https://msdnshared.blob.core.windows.net/media/2017/09/ClearIE_Cache.zip). - -The batch file offers the following options: - -- Delete Non-trusted web History (low-level hidden cleanup) -- Delete History -- Delete Cookies -- Delete Temporary Internet Files -- Delete Form Data -- Delete Stored Passwords -- Delete All -- Delete All "Also delete files and settings stored by add-ons" -- Delete IE10 and IE9 Temporary Internet Files -- Resets IE Settings -- EXIT - -**Contents of the batch file** - -```console -@echo off -:: AxelR Test Batch -:: tested on Windows 8 + IE10, Windows7 + IE9 - -:home -cls -COLOR 00 -echo Delete IE History -echo Please select the task you wish to run. -echo Pick one: -echo. -echo 1. Delete Non-trusted web History(low level hidden clean up) -echo 2. Delete History -echo 3. Delete Cookies -echo 4. Delete Temporary Internet Files -echo 5. Delete Form Data -echo 6. Delete Stored Passwords -echo 7. Delete All -echo 8. Delete All "Also delete files and settings stored by add-ons" -echo 9. Delete IE10 and 9 Temporary Internet Files -echo 10. Reset IE Settings -echo 77. EXIT -:choice -Echo Hit a number [1-10] and press enter. -set /P CH=[1-10] - -if "%CH%"=="1" set x=del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah -if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1 -if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2 -if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8 -if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16 -if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32 -if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255 -if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351 -if "%CH%"=="9" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9 -if "%CH%"=="10" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults -if "%CH%"=="77" goto quit - -%x% - -goto Home - -::Temporary Internet Files > Delete files - To delete copies of web pages, images, and media -::that are saved for faster viewing. -::Cookies > Delete cookies - To delete cookies, which are files that are stored on your computer by -::websites to save preferences such as login information. -::History > Delete history - To delete the history of the websites you have visited. -::Form data > Delete forms - To delete all the saved information that you have typed into -::forms. -::Passwords > Delete passwords - To delete all the passwords that are automatically filled in -::when you log on to a website that you've previously visited. -::Delete all - To delete all of these listed items in one operation. - -::enter below in search/run to see Low history dir if exists -::C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low - -::Delete all low (untrusted history) very hidden -::this will clean any unlocked files under the dir and not delete the dir structure -::del /s /q low\* /ah ::del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah - -goto Home -:quit -``` diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md index ef07a2a337..0257a9db03 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md @@ -1,6 +1,6 @@ --- title: IE and Microsoft Edge FAQ for IT Pros -description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. +description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. audience: ITPro manager: msmets author: ramakoni1 diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 4decd51404..cb44c5b311 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -5,7 +5,7 @@ ## [Get your HoloLens 2 ready to use](hololens2-setup.md) ## [Set up your HoloLens 2](hololens2-start.md) ## [HoloLens 2 fit and comfort FAQ](hololens2-fit-comfort-faq.md) -## [Frequently asked questions about cleaning HoloLens 2 devices](hololens2-maintenance.md) +## [HoloLens 2 cleaning FAQ](hololens2-maintenance.md) ## [Supported languages for HoloLens 2](hololens2-language-support.md) ## [Getting around HoloLens 2](hololens2-basic-usage.md) @@ -16,8 +16,9 @@ ## [HoloLens (1st gen) fit and comfort FAQ](hololens1-fit-comfort-faq.md) ## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md) ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md) +## [HoloLens (1st Gen) release notes](hololens1-release-notes.md) -# Deploy HoloLens and mixed-reality apps in commercial environments +# Deploy HoloLens and mixed reality apps in commercial environments ## [Commercial features](hololens-commercial-features.md) ## [Deploy HoloLens in a commercial environment](hololens-requirements.md) ## [Determine what licenses you need](hololens-licenses-requirements.md) @@ -28,19 +29,18 @@ ## [Manage HoloLens updates](hololens-updates.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) -# Navigating Windows Holographic -## [Start menu and mixed reality home](holographic-home.md) -## [Use your voice with HoloLens](hololens-cortana.md) +# Navigate the Windows Holographic environment +## [Use the Start menu and mixed reality home](holographic-home.md) +## [Use your voice to operate HoloLens](hololens-cortana.md) ## [Find, open, and save files](holographic-data.md) ## [Create mixed reality photos and videos](holographic-photos-and-videos.md) -# User management and access management +# Manage users and access ## [Manage user identity and sign-in for HoloLens](hololens-identity.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md) -## [Set up HoloLens as a kiosk for specific applications](hololens-kiosk.md) +## [Set up HoloLens as a kiosk](hololens-kiosk.md) # Holographic applications -## [Use 3D Viewer on HoloLens](holographic-3d-viewer-beta.md) ## [Find, install, and uninstall applications](holographic-store-apps.md) ## [Manage custom apps for HoloLens](holographic-custom-apps.md) @@ -64,10 +64,13 @@ ## [Frequently asked questions](hololens-faq.md) ## [Frequently asked security questions](hololens-faq-security.md) ## [Status of the HoloLens services](hololens-status.md) -## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb) -## [SCEP whitepaper](scep-whitepaper.md) +## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f) -# [HoloLens release notes](hololens-release-notes.md) +# Resources +## [Use 3D Viewer on HoloLens (1st gen)](holographic-3d-viewer-beta.md) +## [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md) + +# [HoloLens 2 release notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) # [Insider preview for Microsoft HoloLens](hololens-insider.md) # [Change history for Microsoft HoloLens documentation](change-history-hololens.md) diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 4b3449e838..f4655eaebf 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -1,7 +1,7 @@ --- title: Change history for Microsoft HoloLens documentation ms.reviewer: -manager: dansimp +manager: laurawi description: This topic lists new and updated topics for HoloLens. keywords: change history ms.prod: hololens @@ -17,6 +17,14 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +## Windows 10 Holographic, version 2004 + +The topics in this library have been updated for Windows 10 Holographic, version 2004. + +## HoloLens 2 + +The topics in this library have been updated for HoloLens 2 and Windows 10 Holographic, version 1903. + ## April 2019 New or changed topic | Description diff --git a/devices/hololens/holographic-3d-viewer-beta.md b/devices/hololens/holographic-3d-viewer-beta.md index 0973813221..dd46dd8371 100644 --- a/devices/hololens/holographic-3d-viewer-beta.md +++ b/devices/hololens/holographic-3d-viewer-beta.md @@ -1,6 +1,6 @@ --- -title: Using 3D Viewer on HoloLens -description: Describes the types of files and features that 3D Viewer Beta on HoloLens supports, and how to use and troubleshoot the app. +title: Using 3D Viewer on HoloLens (1st gen) +description: Describes the types of files and features that 3D Viewer on HoloLens (1st gen) supports, and how to use and troubleshoot the app. ms.prod: hololens ms.sitesec: library author: Teresa-Motiv @@ -15,15 +15,18 @@ appliesto: - HoloLens (1st gen) --- -# Using 3D Viewer on HoloLens +# Using 3D Viewer on HoloLens (1st gen) -3D Viewer lets you view 3D models on HoloLens. You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps. +3D Viewer lets you view 3D models on HoloLens (1st gen). You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps. + +>[!NOTE] +>This article applies to the immersive Unity **3D Viewer** app, which supports .fbx files and is only available on HoloLens (1st gen). The pre-installed **3D Viewer** app on HoloLens 2 supports opening custom .glb 3D models in the mixed reality home (see [Asset requirements overview](https://docs.microsoft.com/windows/mixed-reality/creating-3d-models-for-use-in-the-windows-mixed-reality-home#asset-requirements-overview) for more details. If you're having trouble opening a 3D model in 3D Viewer, or certain features of your 3D model are unsupported, see [Supported content specifications](#supported-content-specifications). -To build or optimize 3D models for use with 3D Viewer, see [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer-beta). +To build or optimize 3D models for use with 3D Viewer, see [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer). -There are two ways to open a 3D model on HoloLens. See [Viewing 3D models on HoloLens](#viewing-3d-models-on-hololens) to learn more. +There are two ways to open a 3D model on HoloLens. See [Viewing FBX files on HoloLens](#viewing-fbx-files-on-hololens) to learn more. If you're having trouble after reading these topics, see [Troubleshooting](#troubleshooting). @@ -83,14 +86,14 @@ If you're having trouble after reading these topics, see [Troubleshooting](#trou ### File and model limitations -There are hard limits on the size of files, as well as the number of models, vertices, and meshes that can be open simultaneously in 3D Viewer Beta: +There are hard limits on the size of files, as well as the number of models, vertices, and meshes that can be open simultaneously in 3D Viewer: - 500 MB maximum file size per model - Vertices: 600,000 combined on all open models - Meshes: 1,600 combined on all open models - Maximum of 40 models open at one time -## Optimizing 3D models for 3D Viewer Beta +## Optimizing 3D models for 3D Viewer ### Special considerations @@ -100,9 +103,9 @@ There are hard limits on the size of files, as well as the number of models, ver ### Performance optimization -Keep performance in mind while authoring content and validate in the 3D Viewer Beta app on HoloLens during the authoring process for best results. 3D Viewer Beta renders content real-time and performance is subject to HoloLens hardware capabilities. +Keep performance in mind while authoring content and validate in the 3D Viewer app on HoloLens during the authoring process for best results. 3D Viewer renders content real-time and performance is subject to HoloLens hardware capabilities. -There are many variables in a 3D model that can impact performance. 3D Viewer Beta will show a warning on load if there are more than 150,000 vertices or more than 400 meshes. Animations can have an impact on the performance of other open models. There are also hard limits on the total number models, vertices, and meshes that can be open simultaneously in 3D Viewer Beta (see [File and model limitations](#file-and-model-limitations)). +There are many variables in a 3D model that can impact performance. 3D Viewer will show a warning on load if there are more than 150,000 vertices or more than 400 meshes. Animations can have an impact on the performance of other open models. There are also hard limits on the total number models, vertices, and meshes that can be open simultaneously in 3D Viewer (see [File and model limitations](#file-and-model-limitations)). If the 3D model isn't running well due to model complexity, consider: @@ -110,19 +113,19 @@ If the 3D model isn't running well due to model complexity, consider: - Reducing number of bones in rigged animation - Avoiding self-occlusion -Double-sided rendering is supported in 3D Viewer Beta, although it is turned off by default for performance reasons. This can be turned on via the **Double Sided** button on the **Details** page. For best performance, avoid the need for double-sided rendering in your content. +Double-sided rendering is supported in 3D Viewer, although it is turned off by default for performance reasons. This can be turned on via the **Double Sided** button on the **Details** page. For best performance, avoid the need for double-sided rendering in your content. ### Validating your 3D model -Validate your model by opening it in 3D Viewer Beta on HoloLens. Select the **Details** button to view your model's characteristics and warnings of unsupported content (if present). +Validate your model by opening it in 3D Viewer on HoloLens. Select the **Details** button to view your model's characteristics and warnings of unsupported content (if present). ### Rendering 3D models with true-to-life dimensions -By default, 3D Viewer Beta displays 3D models at a comfortable size and position relative to the user. However, if rendering a 3D model with true-to-life measurements is important (for example, when evaluating furniture models in a room), the content creator can set a flag within the file's metadata to prevent resizing of that model by both the application and the user. +By default, 3D Viewer displays 3D models at a comfortable size and position relative to the user. However, if rendering a 3D model with true-to-life measurements is important (for example, when evaluating furniture models in a room), the content creator can set a flag within the file's metadata to prevent resizing of that model by both the application and the user. -To prevent scaling of the model, add a Boolean custom attribute to any object in the scene named Microsoft_DisableScale and set it to true. 3D Viewer Beta will then respect the FbxSystemUnit information baked into the FBX file. Scale in 3D Viewer Beta is 1 meter per FBX unit. +To prevent scaling of the model, add a Boolean custom attribute to any object in the scene named Microsoft_DisableScale and set it to true. 3D Viewer will then respect the FbxSystemUnit information baked into the FBX file. Scale in 3D Viewer is 1 meter per FBX unit. -## Viewing 3D models on HoloLens +## Viewing FBX files on HoloLens ### Open an FBX file from Microsoft Edge @@ -130,71 +133,71 @@ FBX files can be opened directly from a website using Microsoft Edge on HoloLens 1. In Microsoft Edge, navigate to the webpage containing the FBX file you want to view. 1. Select the file to download it. -1. When the download is complete, select the **Open** button in Microsoft Edge to open the file in 3D Viewer Beta. +1. When the download is complete, select the **Open** button in Microsoft Edge to open the file in 3D Viewer. The downloaded file can be accessed and opened again later by using Downloads in Microsoft Edge. To save a 3D model and ensure continued access, download the file on your PC and save it to your OneDrive account. The file can then be opened from the OneDrive app on HoloLens. > [!NOTE] -> Some websites with downloadable FBX models provide them in compressed ZIP format. 3D Viewer Beta cannot open ZIP files directly. Instead, use your PC to extract the FBX file and save it to your OneDrive account. The file can then be opened from the OneDrive app on HoloLens. +> Some websites with downloadable FBX models provide them in compressed ZIP format. 3D Viewer cannot open ZIP files directly. Instead, use your PC to extract the FBX file and save it to your OneDrive account. The file can then be opened from the OneDrive app on HoloLens. ### Open an FBX file from OneDrive FBX files can be opened from OneDrive by using the OneDrive app on HoloLens. Be sure you've installed OneDrive using Microsoft Store app on HoloLens and that you've already uploaded the FBX file to OneDrive on your PC. -Once in OneDrive, FBX files can be opened on HoloLens using 3D Viewer Beta in one of two ways: +Once in OneDrive, FBX files can be opened on HoloLens using 3D Viewer in one of two ways: -- Launch OneDrive on HoloLens and select the FBX file to open it in 3D Viewer Beta. -- Launch 3D Viewer Beta, air tap to show the toolbar, and select **Open File**. OneDrive will launch, allowing you to select an FBX file. +- Launch OneDrive on HoloLens and select the FBX file to open it in 3D Viewer. +- Launch 3D Viewer, air tap to show the toolbar, and select **Open File**. OneDrive will launch, allowing you to select an FBX file. ## Troubleshooting ### I see a warning when I open a 3D model -You will see a warning if you attempt to open a 3D model that contains features that are not supported by 3D Viewer Beta, or if the model is too complex and performance may be affected. 3D Viewer Beta will still load the 3D model, but performance or visual fidelity may be compromised. +You will see a warning if you attempt to open a 3D model that contains features that are not supported by 3D Viewer, or if the model is too complex and performance may be affected. 3D Viewer will still load the 3D model, but performance or visual fidelity may be compromised. -For more info, see [Supported content specifications](#supported-content-specifications) and [Optimizing 3D models for 3D Viewer Beta](#optimizing-3d-models-for-3d-viewer-beta). +For more info, see [Supported content specifications](#supported-content-specifications) and [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer). ### I see a warning and the 3D model doesn't load -You will see an error message when 3D Viewer Beta cannot load a 3D model due to complexity or file size, or if the FBX file is corrupt or invalid. You will also see an error message if you have reached the limit on the total number of models, vertices, or meshes that can be open simultaneously. +You will see an error message when 3D Viewer cannot load a 3D model due to complexity or file size, or if the FBX file is corrupt or invalid. You will also see an error message if you have reached the limit on the total number of models, vertices, or meshes that can be open simultaneously. For more info, see [Supported content specifications](#supported-content-specifications) and [File and model limitations](#file-and-model-limitations). -If you feel your model meets the supported content specifications and has not exceeded the file or model limitations, you may send your FBX file to the 3D Viewer Beta team at holoapps@microsoft.com. We are not able to respond personally, but having examples of files that do not load properly will help our team improve on future versions of the app. +If you feel your model meets the supported content specifications and has not exceeded the file or model limitations, you may send your FBX file to the 3D Viewer team at holoapps@microsoft.com. We are not able to respond personally, but having examples of files that do not load properly will help our team improve on future versions of the app. ### My 3D model loads, but does not appear as expected -If your 3D model does not look as expected in 3D Viewer Beta, air tap to show the toolbar, then select **Details**. Aspects of the file which are not supported by 3D Viewer Beta will be highlighted as warnings. +If your 3D model does not look as expected in 3D Viewer, air tap to show the toolbar, then select **Details**. Aspects of the file which are not supported by 3D Viewer will be highlighted as warnings. The most common issue you might see is missing textures, likely because they are not embedded in the FBX file. In this case, the model will appear white. This issue can be addressed in the creation process by exporting from your creation tool to FBX with the embed textures option selected. -For more info, see [Supported content specifications](#supported-content-specifications) and [Optimizing 3D models for 3D Viewer Beta](#optimizing-3d-models-for-3d-viewer-beta). +For more info, see [Supported content specifications](#supported-content-specifications) and [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer). ### I experience performance drops while viewing my 3D model Performance when loading and viewing a 3D model can be affected by the complexity of the model, number of models open simultaneously, or number of models with active animations. -For more info, see [Optimizing 3D models for 3D Viewer Beta](#optimizing-3d-models-for-3d-viewer-beta) and [File and model limitations](#file-and-model-limitations). +For more info, see [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer) and [File and model limitations](#file-and-model-limitations). -### When I open an FBX file on HoloLens, it doesn't open in 3D Viewer Beta +### When I open an FBX file on HoloLens, it doesn't open in 3D Viewer -3D Viewer Beta is automatically associated with the .fbx file extension when it is installed. +3D Viewer is automatically associated with the .fbx file extension when it is installed. If you try to open an FBX file and see a dialog box that directs you to Microsoft Store, you do not currently have an app associated with the .fbx file extension on HoloLens. -Verify that 3D Viewer Beta is installed. If it is not installed, download it from Microsoft Store on HoloLens. +Verify that 3D Viewer is installed. If it is not installed, download it from Microsoft Store on HoloLens. -If 3D Viewer Beta is already installed, launch 3D Viewer Beta, then try opening the file again. If the issue persists, uninstall and reinstall 3D Viewer Beta. This will re-associate the .fbx file extension with 3D Viewer Beta. +If 3D Viewer is already installed, launch 3D Viewer, then try opening the file again. If the issue persists, uninstall and reinstall 3D Viewer. This will re-associate the .fbx file extension with 3D Viewer. -If attempting to open an FBX file opens an app other than 3D Viewer Beta, that app was likely installed after 3D Viewer Beta and has taken over association with the .fbx file extension. If you prefer 3D Viewer Beta to be associated with the .fbx file extension, uninstall and reinstall 3D Viewer Beta. +If attempting to open an FBX file opens an app other than 3D Viewer, that app was likely installed after 3D Viewer and has taken over association with the .fbx file extension. If you prefer 3D Viewer to be associated with the .fbx file extension, uninstall and reinstall 3D Viewer. -### The Open File button in 3D Viewer Beta doesn't launch an app +### The Open File button in 3D Viewer doesn't launch an app The **Open File** button will open the app associated with the file picker function on HoloLens. If OneDrive is installed, the **Open File** button should launch OneDrive. However, if there is currently no app associated with the file picker function installed on HoloLens, you will be directed to Microsoft Store. -If the **Open File** button launches an app other than OneDrive, that app was likely installed after OneDrive and has taken over association with the file picker function. If you prefer OneDrive to launch when selecting the **Open File** button in 3D Viewer Beta, uninstall and reinstall OneDrive. +If the **Open File** button launches an app other than OneDrive, that app was likely installed after OneDrive and has taken over association with the file picker function. If you prefer OneDrive to launch when selecting the **Open File** button in 3D Viewer, uninstall and reinstall OneDrive. -If the **Open File** button is not active, it's possible that you have reached the limit of models that can be open in 3D Viewer Beta at one time. If you have 40 models open in 3D Viewer Beta, you will need to close some before you will be able to open additional models. +If the **Open File** button is not active, it's possible that you have reached the limit of models that can be open in 3D Viewer at one time. If you have 40 models open in 3D Viewer, you will need to close some before you will be able to open additional models. ## Additional resources diff --git a/devices/hololens/holographic-home.md b/devices/hololens/holographic-home.md index 9b554c0638..8cbbe10268 100644 --- a/devices/hololens/holographic-home.md +++ b/devices/hololens/holographic-home.md @@ -1,5 +1,5 @@ --- -title: Start menu and mixed reality home +title: Use the Start menu and mixed reality home description: Navigate the mixed reality home in Windows Holographic. ms.assetid: 742bc126-7996-4f3a-abb2-cf345dff730c ms.date: 08/07/2019 @@ -15,7 +15,7 @@ appliesto: - HoloLens 2 --- -# Start menu and mixed reality home +# Use the Start menu and mixed reality home Just like the Windows PC experience starts with the desktop, Windows Holographic starts with mixed reality home. Using the Start menu you can open and place app windows, immersive app launchers, and 3D content in mixed reality home, and their placement in your physical space will be remembered. diff --git a/devices/hololens/holographic-photos-and-videos.md b/devices/hololens/holographic-photos-and-videos.md index 10e6bb4756..11255c8961 100644 --- a/devices/hololens/holographic-photos-and-videos.md +++ b/devices/hololens/holographic-photos-and-videos.md @@ -44,7 +44,9 @@ To take a quick photo of your current view, press the volume up and volume down ### Voice commands to take photos -Cortana can also take a picture. Say: "Hey Cortana, take a picture." +On HoloLens 2, version 2004 (and later), say: "Take a picture." + +On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, take a picture." ### Start menu to take photos @@ -67,7 +69,9 @@ The quickest way to record a video is to press and hold the **volume up** and ** ### Voice to record videos -Cortana can also record a video. Say: "Hey Cortana, start recording." To stop a video, say "Hey Cortana, stop recording." +On HoloLens 2, version 2004 (and later), say: "Start recording." To stop recording, say "Stop recording." + +On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, start recording." To stop recording, say "Hey Cortana, stop recording." ### Start menu to record videos diff --git a/devices/hololens/holographic-store-apps.md b/devices/hololens/holographic-store-apps.md index 085f14c50e..f993afcb7f 100644 --- a/devices/hololens/holographic-store-apps.md +++ b/devices/hololens/holographic-store-apps.md @@ -33,12 +33,18 @@ Open the Microsoft Store from the **Start** menu. Then browse for apps and games ## Install apps -To download apps, you'll need to be signed in with a Microsoft account. To buy them, you'll need a payment method associated with the Microsoft account you use on your HoloLens. To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**. +To download apps, you'll need to be signed in with a Microsoft account. Some apps are free and can be downloaded right away. Apps that require a purchase require you to be signed in to the Store with your Microsoft account and have a valid payment method. +> [!NOTE] +> The account you use on Microsoft Store does not have to be the same as the account you are signed in with. If you are using a Work or School account on your HoloLens then you'll need to sign in with your personal account in the Store App to make a purchase. -1. To open the [**Start** menu](holographic-home.md), perform a [bloom](hololens1-basic-usage.md) gesture or tap your wrist. -2. Select the Store app and then tap to place this tile into your world. -3. Once the Store app opens, use the search bar to look for any desired application. -4. Select **Get** or **Install** on the application's page (a purchase may be required). +To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**. + +1. To open the [**Start** menu](holographic-home.md), perform a [Start gesture](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) or [bloom](hololens1-basic-usage.md) gesture on HoloLens 1. +1. Select the Store app. Once the Store app opens: + 1. Use the search bar to look for any desired applications. + 1. Select essential apps or apps made specifically for HoloLens from one of the curated categories. + 1. On the top right of the Store app, select the **...** button and then select **My Library** to view any previously purchased apps. +1. Select **Get** or **Install** on the application's page (a purchase may be required). ## Uninstall apps @@ -46,7 +52,7 @@ There are two ways to uninstall applications. You can uninstall applications th ### Uninstall from the Start menu -On the **Start** menu or in the **All apps** list, gaze at the app. Tap and hold until the menu appears, then select **Uninstall**. +On the **Start** menu or in the **All apps** list, browse to the app. Air tap and hold until the menu appears, then select **Uninstall**. ### Uninstall from the Microsoft Store diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md index dcba528079..dc20ced641 100644 --- a/devices/hololens/hololens-calibration.md +++ b/devices/hololens/hololens-calibration.md @@ -38,7 +38,7 @@ HoloLens 2 prompts a user to calibrate the device under the following circumstan ![Calibration prompt](./images/07-et-adjust-for-your-eyes.png) -During this process, you'll look at a set of targets (gems). It's fine if you blink or close your eyes during calibration but try not to stare at other objects in the room. This allows HoloLens to learn about your eye position to render your holographic world. +During this process, you'll look at a set of targets (gems). It's fine if you blink during calibration, but try to stay focused on the gems instead of other objects in the room. This allows HoloLens to learn about your eye position to render your holographic world. ![Calibration prompt](./images/07-et-hold-head-still.png) @@ -52,7 +52,7 @@ If calibration was successful, you'll see a success screen. If not, read more a ### Calibration when sharing a device or session -Multiple users can share a HoloLens 2 device, without a need for each person to go through device setup. When a new user puts the device on their head for th first time, HoloLens 2 automatically prompts the user to calibrate visuals. When a user that has previously calibrated visuals puts the device on their head, the display seamlessly adjusts for quality and a comfortable viewing experience. +Multiple users can share a HoloLens 2 device, without a need for each person to go through device setup. When a new user puts the device on their head for the first time, HoloLens 2 automatically prompts the user to calibrate visuals. When a user that has previously calibrated visuals puts the device on their head, the display seamlessly adjusts for quality and a comfortable viewing experience. ### Manually starting the calibration process @@ -84,12 +84,16 @@ If calibration is unsuccessful try: - Moving objects in your visor out of the way (such as hair) - Turning on a light in your room or moving out of direct sunlight -If you followed all guidelines and calibration is still failing, please let us know by filing feedback in [Feedback Hub](hololens-feedback.md). +If you followed all guidelines and calibration is still failing, you can disable the calibration prompt in Settings. Please also let us know by filing feedback in [Feedback Hub](hololens-feedback.md). + +Note that setting IPD is not applicable for Hololens 2, since eye positions are computed by the system. ### Calibration data and security Calibration information is stored locally on the device and is not associated with any account information. There is no record of who has used the device without calibration. This mean new users will get prompted to calibrate visuals when they use the device for the first time, as well as users who opted out of calibration previously or if calibration was unsuccessful. +The device can locally store up to 50 calibration profiles. After this number is reached, the device automatically deletes the oldest unused profile. + Calibration information can always be deleted from the device in **Settings** > **Privacy** > **Eye tracker**. ### Disable calibration @@ -105,6 +109,8 @@ You can also disable the calibration prompt by following these steps: ### HoloLens 2 eye-tracking technology The device uses its eye-tracking technology to improve display quality, and to ensure that all holograms are positioned accurately and comfortable to view in 3D. Because it uses the eyes as landmarks, the device can adjust itself for every user and tune its visuals as the headset shifts slightly throughout use. All adjustments happen on the fly without a need for manual tuning. +> [!NOTE] +> Setting the IPD is not applicable for Hololens 2, since eye positions are computed by the system. HoloLens applications use eye tracking to track where you are looking in real time. This is the main capability developers can leverage to enable a whole new level of context, human understanding and interactions within the Holographic experience. Developers don’t need to do anything to leverage this capability. diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md index 98ec5c6e06..ddeb2b11b2 100644 --- a/devices/hololens/hololens-commercial-infrastructure.md +++ b/devices/hololens/hololens-commercial-infrastructure.md @@ -56,7 +56,7 @@ Make sure that [this list](hololens-offline.md) of endpoints are allowed on your ### Remote Assist Specific Network Requirements 1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network). -**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).** +**(Please note, if you don't network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).** 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams). ### Guides Specific Network Requirements @@ -73,18 +73,18 @@ Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for a 1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) -1. Ensure that your company’s users are in Azure Active Directory (Azure AD). +1. Ensure that your company's users are in Azure Active Directory (Azure AD). Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory). 1. We suggest that users who need similar licenses are added to the same group. 1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) 1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal) -1. Ensure that your company’s users (or group of users) are assigned the necessary licenses. +1. Ensure that your company's users (or group of users) are assigned the necessary licenses. Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups). 1. Only do this step if users are expected to enroll their HoloLens/Mobile device into you (There are three options) -These steps ensure that your company’s users (or a group of users) can add devices. +These steps ensure that your company's users (or a group of users) can add devices. 1. **Option 1:** Give all users permission to join devices to Azure AD. **Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** > **Set Users may join devices to Azure AD to *All*** @@ -163,7 +163,7 @@ Directions for upgrading to the commercial suite can be found [here](https://doc 1. Check your app settings 1. Log into your Microsoft Store Business account - 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”** + 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select "Everyone" or "Specific Groups"** >[!NOTE] >If you don't see the app you want, you will have to "get" the app by searching the store for your app. **Click the "Search" bar in the upper right-hand corner > type in the name of the app > click on the app > select "Get"**. 1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. @@ -171,11 +171,11 @@ Directions for upgrading to the commercial suite can be found [here](https://doc 1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile) > [!NOTE] -> You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps. +> You can configure different users to have different Kiosk Mode experiences by using "Azure AD" as the "User logon type". However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps. ![Image that shows Configuration of Kiosk Mode in Intune](images/aad-kioskmode.png) -For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) +For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) ## Certificates and Authentication diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md index 7926dab884..f75a5599df 100644 --- a/devices/hololens/hololens-connect-devices.md +++ b/devices/hololens/hololens-connect-devices.md @@ -45,10 +45,15 @@ HoloLens (1st gen) supports the following classes of Bluetooth devices: ### HoloLens (1st gen): Pair the clicker 1. Use the bloom gesture to go to **Start**, and then select **Settings**. + 1. Select **Devices**, and make sure that Bluetooth is on. + 1. Use the tip of a pen to press and hold the clicker pairing button until the clicker status light blinks white. Make sure to hold down the button until the light starts blinking. + The pairing button is on the underside of the clicker, next to the finger loop. + ![The pairing button is beside the finger loop](images/use-hololens-clicker-1.png) + 1. On the pairing screen, select **Clicker** > **Pair**. ## HoloLens 2: Connect USB-C devices @@ -63,6 +68,9 @@ HoloLens 2 supports the following classes of USB-C devices: - Wired keyboard - Combination PD hubs (USB A plus PD charging) +> [!NOTE] +> Some mobile devices with USB-C connections present themselves to the HoloLens as ethernet adaptors, and therefore could be used in a tethering configuration, starting with Windows Holographic, version 2004. USB LTE modems that require a separate driver, and/or application installed for configuration are not supported + ## Connect to Miracast To use Miracast, follow these steps: @@ -74,3 +82,10 @@ To use Miracast, follow these steps: 1. On the list of devices that appears, select an available device. 1. Complete the pairing to begin projecting. + +## Disable Bluetooth + +This procedure turns off the RF components of the Bluetooth radio and disables all Bluetooth functionality on Microsoft HoloLens. + +1. Use the bloom gesture (HoloLens (1st gen)) or the start gesture (HoloLens 2) to go to **Start**, and then select **Settings** > **Devices**. +1. Move the slider switch for **Bluetooth** to the **Off** position. diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 369602ca12..ec869cc67d 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -1,5 +1,5 @@ --- -title: Use your voice with HoloLens +title: Use your voice to operate HoloLens description: Cortana can help you do all kinds of things on your HoloLens ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed ms.date: 03/10/2020 @@ -17,7 +17,7 @@ appliesto: - HoloLens 2 --- -# Use your voice with HoloLens +# Use your voice to operate HoloLens You can use your voice to do almost anything on HoloLens, such as taking a quick photo or opening an app. Many voice commands are built into HoloLens, while others are available through Cortana. @@ -30,24 +30,37 @@ This article teaches you how to control HoloLens and your holographic world with ## Built-in voice commands -Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. +Get around HoloLens faster with these basic commands. In order to use these, you need to enable Speech during the first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of the Start menu. For the best speech recognition results, HoloLens 2 uses the Microsoft cloud-based services. However, you can use Settings to disable this feature. To do this, in Settings, turn off **Online speech recognition**. After you change this setting, HoloLens 2 will only process voice data locally to recognize commands and dictation, and Cortana will not be available. ### General speech commands -Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.” +Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying "select." > [!NOTE] > Hand rays are not supported on HoloLens (1st Gen). | Say this | To do this | | - | - | -| "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say “select” again. | +| "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say "select" again. | |Open the Start menu | "Go to Start" | |Close the Start menu | "Close" | |Leave an immersive app | Say "Go to Start" to bring up the quick actions menu, then say "Mixed reality home." | |Hide and show hand ray | "Hide hand ray" / "Show hand ray" | |See available speech commands | "What can I say?" | +Starting with version 19041.x of HoloLens 2, you can also use these commands: + +| Say this | To do this | +| - | - | +| "Restart device" | Bring up a dialogue to confirm you want to restart the device. You can say "yes" to restart. | +| "Shutdown device" | Bring up a dialogue to confirm you want to turn off the device. You can say "yes" to confirm. | +| "Brightness up/down" | Increase or decrease the display brightness by 10%. | +| "Volume up/down" | Increase or decrease the volume by 10%. | +| "What's my IP address" | Bring up a dialogue displaying your device's current IP address on the local network. | +| "Take a picture" | Capture a mixed reality photo of what you are currently seeing. | +| "Take a video" | Start recording a mixed reality video. | +| "Stop recording" | Stops the current mixed reality video recording if one is in progress. | + ### Hologram commands To use these commands, gaze at a 3D object, hologram, or app window. @@ -87,7 +100,7 @@ Sometimes it's helpful to spell out things like email addresses. For instance, t ## Do more with Cortana -Cortana can help you do all kinds of things on your HoloLens, from searching the web to shutting down your device. She can give you suggestions, ideas, reminders, alerts, and more. To get her attention, select Cortana on **Start** or say "Hey Cortana" anytime. +Cortana can help you do all kinds of things on your HoloLens, but depending on which version of Windows Holographic you're using, the capablities may be different. You can learn more about the updated capabilites of the latest version of Cortana [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/). ![Hey Cortana!](images/cortana-on-hololens.png) @@ -96,22 +109,27 @@ Here are some things you can try saying (remember to say "Hey Cortana" first). **Hey, Cortana**... - What can I say? +- Launch <*app name*>. +- What time is it? +- Show me the latest NBA scores. +- Tell me a joke. + +If you're using *version 18362.x or earlier*, you can also use these commands: + +**Hey, Cortana**... + - Increase the volume. - Decrease the brightness. - Shut down. - Restart. - Go to sleep. - Mute. -- Launch <*app name*>. - Move <*app name*> here (gaze at the spot that you want the app to move to). - Go to Start. - Take a picture. - Start recording. (Starts recording a video.) - Stop recording. (Stops recording a video.) -- What time is it? -- Show me the latest NBA scores. - How much battery do I have left? -- Tell me a joke. Some Cortana features that you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens, and the Cortana experience may vary from one region to another. diff --git a/devices/hololens/hololens-diagnostic-logs.md b/devices/hololens/hololens-diagnostic-logs.md index 212f936079..0423539b62 100644 --- a/devices/hololens/hololens-diagnostic-logs.md +++ b/devices/hololens/hololens-diagnostic-logs.md @@ -27,19 +27,20 @@ HoloLens users and administrators can choose from among four different methods t - Feedback Hub app - DiagnosticLog CSP - Settings app -- Fallback diagnostics > [!IMPORTANT] > Device diagnostic logs contain personally identifiable information (PII), such as about what processes or applications the user starts during typical operations. When multiple users share a HoloLens device (for example, users sign in to the same device by using different Microsoft Azure Active Directory (AAD) accounts) the diagnostic logs may contain PII information that applies to multiple users. For more information, see [Microsoft Privacy statement](https://privacy.microsoft.com/privacystatement). -The following table compares the four collection methods. The method names link to more detailed information in the sections that follow the table. +The following table compares the three collection methods. The method names link to more detailed information in the sections that follow the table. |Method |Prerequisites |Data locations |Data access and use |Data retention | | --- | --- | --- | --- | --- | |[Feedback Hub](#feedback-hub) |Network and internet connection

Feedback Hub app

Permission to upload files to the Microsoft cloud |Microsoft cloud

HoloLens device (optional) |User requests assistance, agrees to the terms of use, and uploads the data

Microsoft employees view the data, as consistent with the terms of use |Data in the cloud is retained for the period that is defined by Next Generation Privacy (NGP). Then the data is deleted automatically.

Data on the device can be deleted at any time by a user who has **Device owner** or **Admin** permissions. | -|[Settings Troubleshooter](#settings-troubleshooter) |Settings app |HoloLens device

Connected computer (optional) |The user stores the data, and only the user accesses the data (unless the user specifically shares the data with another user). |The data is retained until the user deletes it. | +|[Settings Troubleshooter](#settings-troubleshooter) |Settings app |HoloLens device

Connected computer (optional) |The user stores the data, and only the user accesses the data (unless the user specifically shares the data with another user). |The data is retained until the user deletes it.* | |[DiagnosticLog CSP](#diagnosticlog-csp) |Network connection

MDM environment that supports the DiagnosticLog CSP |Administrator configures storage locations |In the managed environment, the user implicitly consents to administrator access to the data.

Administrator configures access roles and permissions. | Administrator configures retention policy. | -|[Fallback diagnostics](#fallback-diagnostics) |Device configuration:

|HoloLens device

Connected computer |The user stores the data, and only the user accesses the data (unless the user specifically shares the data with another user). |The data is retained until the user deletes it. | + + +- End-user is responsible for sharing the logs responsibly with someone else. These files are primarily useful when contacting customer service and support. ## Feedback Hub @@ -110,160 +111,4 @@ The IT administrator uses the DiagnosticLog CSP to configure the data storage, r - The retention period for the diagnostic information. - Permissions that control access to the diagnostic information. -## Fallback diagnostics -While device telemetry usually provides an initial understanding of a problem report, some issues require a broader and deeper understanding of the device state. When you (as a user or an administrator) investigate such issues, diagnostic logs that reside on the device are more useful than the basic device telemetry. - -The fallback diagnostics process provides a way for you to gather diagnostic information if no other methods are available. Such scenarios include the following: - -- The network or network-based resources (such as the Feedback Hub, MDM, and so on) are not available. -- The device is "stuck" or locked in a state in which usual troubleshooting capabilities (such as the Settings app) are not available. Such scenarios include the Out-of-Box-Experience (OOBE), kiosk mode, and a locked or "hung" user interface. - -> [!IMPORTANT] -> - On HoloLens 2 devices, you can use fallback diagnostics under the following conditions only: -> - During the Out-of-the-Box-Experience (OOBE) and when you select **Send Full Diagnostics Data**. -> - If the environment's Group Policy enforces the **System\AllowTelemetry** policy value of **Full**. -> - On HoloLens (1st gen) devices, you can use fallback diagnostics on HoloLens version 17763.316 or a later version. This version is the version that the Windows Device Recovery Tool restores when it resets the device. - -### How to use fallback diagnostics - -Before you start the fallback diagnostics process, make sure of the following: - -- The device is connected to a computer by using a USB cable. -- The device is powered on. -- The Power and Volume buttons on the device are functioning correctly. - -To collect fallback diagnostic information, follow these steps: - -1. On the device, press the Power and Volume Down buttons at the same time and then release them. -1. Wait for few seconds while the device collects the data. - -### Data locations - -The device stores the data locally. You can access that information from the connected desktop computer at the following location: - -> This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents - -For more information about the files that the fallback diagnostics process collects, see [What diagnostics files does the fallback diagnostics process collect?](#what-diagnostics-files-does-the-fallback-diagnostics-process-collect). - -### Data access, use, and retention - -Because you store the data yourself, only you have access to the data. If you choose to share the data with another user, you implicitly grant permission for that user to access or store the data. - -The data remains until you delete it. - -### Frequently asked questions about fallback diagnostics on HoloLens - -#### Does the device have to be enrolled with an MDM system? - -No. - -#### How can I use fallback diagnostics on HoloLens? - -Before you start the fallback diagnostics process, make sure of the following: - -- The device is connected to a computer by using a USB cable. -- The device is powered on. -- The Power and Volume buttons on the device are functioning correctly. - -To collect fallback diagnostic information, follow these steps: - -1. On the device, press the Power and Volume Down buttons at the same time and then release them. -1. Wait for few seconds while the device collects the data. - -#### How would I know that data collection finished? - -The fallback diagnostics process does not have a user interface. On HoloLens 2, when the process starts to collect data, it creates a file that is named HololensDiagnostics.temp. When the process finishes, it removes the file. - -#### What diagnostics files does the fallback diagnostics process collect? - -The fallback diagnostics process collects one or more .zip files, depending on the version of HoloLens. The following table lists each of the possible .zip files, and the applicable versions of HoloLens. - -|File |Contents |HoloLens (1st gen) |HoloLens 2 10.0.18362+ |HoloLens 2 10.0.19041+ | -| --- | --- | --- | --- | --- | -|HololensDiagnostics.zip |Files for tracing sessions that ran on the device.

Diagnostic information that's specific to Hololens. |✔️ |✔️ |✔️ | -|DeviceEnrollmentDiagnostics.zip |Information that's related to MDM, device enrollment, CSPs, and policies. | |✔️ |✔️ | -|AutoPilotDiagnostics.zip |Information that's related to autopilot and licensing.| | |✔️ | -|TPMDiagnostics.zip |Information that's related to the trusted platform module (TPM) on the device | | |✔️ | - -> [!NOTE] -> Starting on May 2, 2019, the fallback diagnostics process collects EventLog*.etl files only if the signed-in user is the device owner. This is because these files may contain PII data. Such data is accessible to device owners only. This behavior matches the behavior of Windows desktop computers, where administrators have access to event log files but other users do not. - -**Sample diagnostic content for HoloLens (1st gen)** - -HololensDiagnostics.zip contains files such as the following: - -- AuthLogon.etl -- EventLog-HupRe.etl.001 -- FirstExperience.etl.001 -- HetLog.etl -- HoloInput.etl.001 -- HoloShell.etl.001 -- WiFi.etl.001 - -**Sample diagnostic content for HoloLens 2 10.0.18362+** - -HololensDiagnostics.zip contains files such as the following: - -- EventLog-Application.etl.001* -- EventLog-System.etl.001* -- AuthLogon.etl -- EventLog-HupRe.etl.001 -- FirstExperience.etl.001 -- HetLog.etl -- HoloInput.etl.001 -- HoloShell.etl.001 -- WiFi.etl.001 -- CSPsAndPolicies.etl.001 -- RadioMgr.etl -- WiFiDriverIHVSession.etl - -DeviceEnrollmentDiagnostics.zip contains files such as the following: - -- MDMDiagHtmlReport.html -- MdmDiagLogMetadata.json -- MDMDiagReport.xml -- MdmDiagReport_RegistryDump.reg -- MdmLogCollectorFootPrint.txt - -**Sample diagnostic content for HoloLens 2 10.0.19041+** - -HololensDiagnostics.zip contains files such as the following: - -- EventLog-Application.etl.001* -- EventLog-System.etl.001* -- AuthLogon.etl -- EventLog-HupRe.etl.001 -- FirstExperience.etl.001 -- HetLog.etl -- HoloInput.etl.001 -- HoloShell.etl.001 -- WiFi.etl.001 -- CSPsAndPolicies.etl.001 -- RadioMgr.etl -- WiFiDriverIHVSession.etl -- DisplayDiagnosticData.json -- HUP dumps - -DeviceEnrollmentDiagnostics.zip contains files such as the following: - -- MDMDiagHtmlReport.html -- MdmDiagLogMetadata.json -- MDMDiagReport.xml -- MdmDiagReport_RegistryDump.reg -- MdmLogCollectorFootPrint.txt - -AutoPilotDiagnostics.zip contains files such as the following: - -- DeviceHash_HoloLens-U5603.csv -- LicensingDiag.cab -- LicensingDiag_Output.txt -- TpmHliInfo_Output.txt -- DiagnosticLogCSP_Collector_DeviceEnrollment_\*.etl -- DiagnosticLogCSP_Collector_Autopilot_*.etl - -TPMDiagnostics.zip contains files such as the following: - -- CertReq_enrollaik_Output.txt -- CertUtil_tpminfo_Output.txt -- TPM\*.etl diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index af44d41fb3..6b2cfb74bc 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -10,7 +10,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 01/26/2019 ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) --- diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index c8b54ac1f2..9eb5eea890 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -10,7 +10,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 07/15/2019 ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) - HoloLens 2 @@ -29,7 +29,7 @@ You can manage multiple Microsoft HoloLens devices simultaneously using solution ## Auto-enrollment in MDM -If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and AirWatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) +If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and AirWatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/mem/intune/enrollment/windows-enroll#enable-windows-10-automatic-enrollment) When auto-enrollment is enabled, no additional manual enrollment is needed. When the user signs in with an Azure AD account, the device is enrolled in MDM after completing the first-run experience. @@ -41,8 +41,8 @@ When auto-enrollment is enabled, no additional manual enrollment is needed. When 1. Select **Enroll into device management** and enter your organizational account. You will be redirected to your organization's sign in page. 1. Upon successful authentication to the MDM server, a success message is shown. -Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management. +Your device is now enrolled with your MDM server. The Settings app will now reflect that the device is enrolled in device management. ## Unenroll HoloLens from Intune -You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard. \ No newline at end of file +You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard. diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md index 78dacbb581..85f66c8318 100644 --- a/devices/hololens/hololens-faq-security.md +++ b/devices/hololens/hololens-faq-security.md @@ -73,8 +73,6 @@ appliesto: 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. -1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** - 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. ## HoloLens 2nd Gen Security Questions @@ -125,5 +123,3 @@ appliesto: 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. -1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** - 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. diff --git a/devices/hololens/hololens-feedback.md b/devices/hololens/hololens-feedback.md index 3199517a90..7fb8c4838e 100644 --- a/devices/hololens/hololens-feedback.md +++ b/devices/hololens/hololens-feedback.md @@ -4,7 +4,11 @@ description: Create actionable feedback for HoloLens and Windows Mixed Reality d ms.assetid: b9b24c72-ff86-44a9-b30d-dd76c49479a9 author: mattzmsft ms.author: mazeller -ms.date: 09/13/2019 +ms.date: 05/14/2020 +ms.custom: +- CI 116157 +- CSSTroubleshooting +audience: ITPro ms.prod: hololens ms.topic: article keywords: feedback, bug, issue, error, troubleshoot, help @@ -15,68 +19,66 @@ appliesto: - HoloLens 2 --- -# Give us feedback +# Feedback for HoloLens -Use the Feedback Hub to tell us which features you love, which features you could do without, or when something could be better. +Use the Feedback Hub to tell us which features you love, which features you could do without, and how something could be better. The engineering team uses the same mechanism internally to track and fix bugs, so please use Feedback Hub to report any bugs that you see. We are listening! -## Feedback for Windows Mixed Reality immersive headset on PC +Feedback Hub is an excellent way to alert the engineering team to bugs and to make sure that future updates are healthier and more consistently free of bugs. However, Feedback Hub does not provide a response. If you need immediate help, please file feedback, take note of the summary that you provided for your feedback, and then follow up with [HoloLens support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f). -> [!IMPORTANT] -> Before you report an issue, make sure that your environment meets the following requirements so that you can successfully upload logs and other information: -> -> - Have a minimum of 3GB free disk space available on the main drive of the device. -> - To upload cabs or other large files, connect to a non-metered network. +> [!NOTE] +> +> - Make sure you that you have the current version of Feedback Hub. To do this, select **Start** > **Microsoft Store**, and then select the ellipses (**...**). Then, select **Downloads and updates** > **Get updates**. +> +> - To provide the best possible data for fixing issues, we highly recommended that you set your device telemetry to **Full**. You can set this value during the Out-of-Box-Experience (OOBE), or by using the Settings app. To do this by using Settings, select **Start** > **Settings** > **Privacy** > **App Diagnostics** > **On**. -1. Make sure that you have the immersive headset connected to your PC, and then on the desktop, select **Feedback Hub**. -1. In the left pane, select **Feedback**. - ![Feedback tab](images/feedback1-600px.png) -1. To enter new feedback, select **Add new feedback**. - ![Add new feedback](images/feedback2-600px.png) -1. To make feedback actionable, in **What kind of feedback is this?** select **Problem**. -1. In **Summarize your issue**, enter a meaningful title for your feedback. -1. In **Give us more detail**, provide details and repro steps. - ![Details and repro steps](images/feedback3-600px.png) +## Use the Feedback Hub - As the top category, select **Mixed Reality**. Then select an applicable subcategory, as explained in the following table: - - |Subcategory |Description | - |----------|----------| - | Apps | Issues about a specific application. | - | Developer | Issues about authoring or running an app for Mixed Reality. | - | Device | Issues about the head-mounted device (HMD) itself. | - | Home experience | Issues about your VR environment and your interactions with the your mixed reality home. | - | Input | Issues about input methods, such as motion controllers, speech, gamepad, or mouse and keyboard. | - | Set up | Anything that is preventing you from setting up the device. | - | All other issues | Anything else. | - -1. If possible, add traces or video to your feedback to help us identify and fix the issue more quickly. To do this, follow these steps: - 1. To start collecting traces, select **Start capture**. The app starts collecting traces and a video capture of your mixed reality scenario. - - ![Start Capture](images/feedback4-600px.png) - 1. Do not close the Feedback Hub app, but switch to the scenario that produces the issue. Run through the scenario to produce the circumstances that you have described. - 1. After you finish your scenario, go back to the Feedback Hub app and select **Stop capture**. The app stops collecting information, stores the information in a file, and attaches the file to your feedback. -1. Select **Submit**. - ![Submit](images/feedback5-600px.png) - The Thank You page indicates that your feedback has been successfully submitted. - ![Thank You](images/feedback6-600px.png) +1. Use the **Start** gesture to open the **Start** menu, and then select **Feedback Hub**. The app opens in your environment. -To easily direct other people (such as co-workers, Microsoft staff, [forum](https://forums.hololens.com/) readers et al) to the issue, go to **Feedback** > **My Feedback**, select the issue, select **Share**. This action provides a shortened URL that you can give to others so that they can upvote or escalate your issue. + ![Feedback app on HoloLens Start menu](./images/hololens2-feedbackhub-tile.png) + > [!NOTE] + > If you don't see **Feedback Hub**, select **All Apps** to see the complete list of apps on the device. -## Feedback for HoloLens +1. To see whether someone else has given similar feedback, enter a few keywords about the topic in the **Feedback** search box. +1. If you find similar feedback, select it, add any additional information that you have in the **Write a comment** box, and then select **Upvote**. +1. If you don't find any similar feedback, select **Add new feedback**. -1. Use the **bloom** gesture to open the **Start** menu, and then select **Feedback Hub**. + ![Add new feedback](./images/hololens-feedback-1.png) - ![Start menu on Microsoft HoloLens](images/startmenu.jpg) -1. Place the app in your environment and then select the app to launch it. -1. To see if someone else has given similar feedback, in the Feedback search box, enter a few keywords about the topic. +1. In **Summarize your feedback**, enter a short summary of your feedback. Then add details in the **Explain in more detail** box. The more details that you provide, such as how to reproduce this problem and the effect that it has, the more useful your feedback is. When you're finished, select **Next**. - ![Search Feedback](images/searchfeedback-500px.jpg) -1. If you find similar feedback, select it, add any details, then select **Upvote**. +1. Select a topic from **Choose a category**, and then select a subcategory from **Select a subcategory**. The following table describes the categories that are available in the Windows Holographic category. - ![Upvote existing Feedback](images/upvotefeedback-500px.jpg) -1. If you don’t find any similar feedback, select **Add new feedback**, select a topic from **Select a category**, and then select a subcategory from **Select a subcategory**. + > [!NOTE] + > **Commercial customers**: To report a bug that is related to MDM, provisioning, or any other device management aspect, select the **Enterprise Management** category, and the **Device** subcategory. - ![Add new Feedback](images/addnewfeedback-500px.jpg) -1. Enter your feedback. -1. If you are reporting a reproducible issue, you can select **Reproduce**. Without closing Feedback Hub, reproduce the issue. After you finish, come back to Feedback Hub and select **I’m done**. The app adds a mixed reality capture of your repro and relevant diagnostic logs to your feedback. -1. Select **Post feedback**, and you’re done. + |Category |Description | + | --- | --- | + |Eye tracking |Feedback about eye tracking, iris sign-in, or calibration. | + |Hologram accuracy, stability, and reliability |Feedback about how holograms appear in space. | + |Launching, placing, adjusting, and exiting apps |Feedback about starting or stopping 2D or 3D apps. | + |Miracast |Feedback about Miracast. | + |Spaces and persistence |Feedback about how HoloLens recognizes spaces and retains holograms in space. | + |Start menu and all apps list |Feedback about the **Start** menu and the all apps list. | + |Surface mapping |Feedback about surface mapping. | + |Taking pictures and videos |Feedback about mixed reality captures. | + |Video hologram playback |Feedback about video hologram playback. | + |All other issues |All other issues. | + +1. You may be prompted to search for similar feedback. If your problem resembles feedback from other users, select that feedback. Otherwise, select **New feedback** and then select **Next**. + +1. If you are prompted, select the best description of the problem. + +1. Attach any relevant data to your feedback, or reproduce the problem. You can select any of the following options: + + - **Attach a screenshot**. Select this option to attach a screenshot that illustrates the situation that you're describing. + - **Attach a file**. Select this option to attach data files. If you have files that are relevant to your problem or that could help us to reproduce your problem, attach them. + - **Recreate my problem**. Select this option if you can reproduce the problem yourself. After you select **Recreate my problem**, follow these steps: + + 1. Select **Include data about** and make sure that the most relevant types of data are listed. In most cases, the default selections are based on the category and subcategory that you selected for your feedback. + 1. Select **Start Recording**. + + 1. Reproduce your problem. Don’t worry if this means that you have to enter an immersive app. You will return to the feedback page when you're done. + 1. Select **Stop recording**. After recording stops, you can see the data that is attached to your feedback for the engineering team. + +1. Make sure that you have an active internet connection so that we can receive your feedback. Select **Submit**, and you’re done. diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md index e1fab33818..08af92c386 100644 --- a/devices/hololens/hololens-identity.md +++ b/devices/hololens/hololens-identity.md @@ -32,7 +32,7 @@ HoloLens supports several kinds of user identities. You can use one or more user | Identity type | Accounts per device | Authentication options | | --- | --- | --- | -| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 32 (see details) | | +| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 64 | | | [Microsoft Account (MSA)](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts) | 1 | | | [Local account](https://docs.microsoft.com/windows/security/identity-protection/access-control/local-accounts) | 1 | Password | diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 7ee4140703..5bc9b7a304 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -11,9 +11,9 @@ ms.custom: - CSSTroubleshooting ms.localizationpriority: medium audience: ITPro -ms.date: 1/6/2020 +ms.date: 4/21/2020 ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens 2 --- @@ -34,6 +34,9 @@ Select **Confirm -> Restart Now** to finish up. After your device has rebooted, If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Advanced Recovery Companion to recover your device to a non-Insider version of Windows Holographic. +> [!CAUTION] +> There is a known issue in which users who un-enroll from Insider Preview builds after manually reinstalling a fresh preview build would experience a blue screen. Afterwards they must manually recover their device. For full details on if you would be impacted or not, please view more on this [Known Issue](https://docs.microsoft.com/hololens/hololens-known-issues?source=docs#blue-screen-is-shown-after-unenrolling-from-insider-preview-builds-on-a-device-reflashed-with-a-insider-build). + To verify that your HoloLens is running a production build: 1. Go to **Settings > System > About**, and find the build number. @@ -44,6 +47,8 @@ To opt out of Insider builds: 1. On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**. 1. Follow the instructions to opt out your device. + + ## Provide feedback and report issues Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way. @@ -58,59 +63,9 @@ You are welcome and encouraged to try developing your applications using Insider ## Windows Insider Release Notes -HoloLens 2 Windows Insider builds are full of new features and improvements. Sign up for Windows Insider Fast or Slow flights to test them out! -Here's a quick summary of what's new: +As of our [Windows Holographic May 2020 Update](hololens-release-notes.md) release all of our release preview feautres are now generally avalible! Make sure to [update your HoloLens](hololens-update-hololens.md) to get all the latest features. -- Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices -- Seamlessly apply a provisioning package from a USB drive to your HoloLens -- Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system -- Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use. Send a note to hlappreview@microsoft.com to join the preview. -- Dark Mode - HoloLens customers can now choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. -- Support for additional system voice commands -- Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate -- Performance and stability improvements across the product -- More information in settings on HoloLens about the policy pushed to the device - -Once you've had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers. - -### FIDO 2 support -Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password. - -Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started. - -### Provisioning package updates -Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel. - -1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC. -1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices** -1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device. -1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package. - -### System voice commands -You can now can access these commands with your voice: -- "Restart device" -- "Shutdown device" -- "Brightness up" -- "Brightness down" -- "Volume up" -- "Volume down" -- "What is my IP address?" - -If you're running your system with a different language, please try the appropriate commands in that language. - -### Dark mode -Many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to **Settings > System > Colors to find "Choose your default app mode."** -Here are some of the in-box apps that support Dark mode! -- Settings -- Microsoft Store -- Mail -- Calendar -- File Explorer -- Feedback Hub -- OneDrive -- Photos -- 3D Viewer -- Movies & TV +We'll be updating this page again with new features again as we release them to Windows Insider builds. ### FFU download and flash directions To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu. diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index aab93e1b8a..1bbd7ddefd 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -1,5 +1,5 @@ --- -title: Set up HoloLens as a kiosk for specific applications +title: Set up HoloLens as a kiosk description: Use a kiosk configuration to lock down the apps on HoloLens. ms.prod: hololens ms.sitesec: library @@ -7,82 +7,361 @@ author: dansimp ms.author: dansimp ms.topic: article ms.localizationpriority: medium -ms.date: 11/13/2018 +ms.date: 04/27/2020 ms.custom: +- CI 115262 - CI 111456 - CSSTroubleshooting ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# Set up HoloLens as a kiosk for specific applications +# Set up HoloLens as a kiosk -In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional) +You can configure a HoloLens device to function as a fixed-purpose device, also called a *kiosk*, by configuring the device to run in kiosk mode. Kiosk mode limits the applications (or users) that are available on the device. Kiosk mode is a convenient feature that you can use to dedicate a HoloLens device to business apps, or to use the HoloLens device in an app demo. -When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. +This article provides information about aspects of kiosk configuration that are specific to HoloLens devices. For general information about the different types of Windows-based kiosks and how to configure them, see [Configure kiosks and digital signs on Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-methods). -Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings. +> [!IMPORTANT] +> Kiosk mode determines which apps are available when a user signs in to the device. However, kiosk mode is not a security method. It does not stop an "allowed" app from opening another app that is not allowed. In order to block apps or processes from opening, use [Windows Defender Application Control (WDAC) CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) to create appropriate policies. -The following table lists the device capabilities in the different kiosk modes. +You can use kiosk mode in either a single-app or a multi-app configuration, and you can use one of three processes to set up and deploy the kiosk configuration. -Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast ---- | --- | --- | --- | --- -Single-app kiosk | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) -Multi-app kiosk | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) with **Home** and **Volume** (default)

Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.

Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app is enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app and device picker app are enabled in the kiosk configuration. +> [!IMPORTANT] +> Deleting the multi-app configuration removes the user lockdown profiles that the assigned access feature created. However, it does not revert all the policy changes. To revert these policies, you have to reset the device to the factory settings. -> [!NOTE] -> Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. +## Plan the kiosk deployment -The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. +### Kiosk mode requirements -> [!WARNING] -> The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. -> -> Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. +You can configure any HoloLens 2 device to use kiosk mode. -For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk: -- You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks. -- You can [use a provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks. -- You can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device. +To configure a HoloLens (1st gen) device to use kiosk mode, you must first make sure that the device runs Windows 10, version 1803, or a later version. If you have used the Windows Device Recovery Tool to recover your HoloLens (1st gen) device to its default build, or if you have installed the most recent updates, your device is ready to configure. -For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. +> [!IMPORTANT] +> To help protect devices that run in kiosk mode, consider adding device management policies that turn off features such as USB connectivity. Additionally, check your update ring settings to make sure that automatic updates do not occur during business hours. -## Start layout for HoloLens +### Decide between a single-app kiosk or a multi-app kiosk -If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. +A single-app kiosk starts the specified app when the user signs in to the device. The Start menu is disabled, as is Cortana. A HoloLens 2 device does not respond to the [Start](hololens2-basic-usage.md#start-gesture) gesture. A HoloLens (1st gen) device does not respond to the [bloom](hololens1-basic-usage.md) gesture. Because only one app can run, the user cannot place other apps. -> [!NOTE] -> Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. +A multi-app kiosk displays the Start menu when the user signs in to the device. The kiosk configuration determines which apps are available on the Start menu. You can use a multi-app kiosk to provide an easy-to-understand experience for users by presenting to them only the things that they have to use, and removing the things they don't need to use. -### Start layout file for MDM (Intune and others) +The following table lists the feature capabilities in the different kiosk modes. -Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). +|   |Start menu |Quick Actions menu |Camera and video |Miracast |Cortana |Built-in voice commands | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +|Single-app kiosk |Disabled |Disabled |Disabled |Disabled |Disabled |Enabled1 | +|Multi-app kiosk |Enabled |Enabled2 |Available2 |Available2 |Available2, 3 |Enabled1 | -> [!NOTE] -> If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). +> 1 Voice commands that relate to disabled features do not function. +> 2 For more information about how to configure these features, see [Select kiosk apps](#plan-kiosk-apps). +> 3 Even if Cortana is disabled, the built-in voice commands are enabled. + +The following table lists the user support features of the different kiosk modes. + +|   |Supported user types | Automatic sign-in | Multiple access levels | +| --- | --- | --- | --- | +|Single-app kiosk |Managed Service Account (MSA) in Azure Active Directory (AAD) or local account |Yes |No | +|Multi-app kiosk |AAD account |No |Yes | + +For examples of how to use these capabilities, see the following table. + +|Use a single-app kiosk for: |Use a multi-app kiosk for: | +| --- | --- | +|A device that runs only a Dynamics 365 Guide for new employees. |A device that runs both Guides and Remote Assistance for a range of employees. | +|A device that runs only a custom app. |A device that functions as a kiosk for most users (running only a custom app), but functions as a standard device for a specific group of users. | + +### Plan kiosk apps + +For general information about how to choose kiosk apps, see [Guidelines for choosing an app for assigned access (kiosk mode)](https://docs.microsoft.com/windows/configuration/guidelines-for-assigned-access-app). + +If you use the Windows Device Portal to configure a single-app kiosk, you select the app during the setup process. + +If you use a Mobile Device Management (MDM) system or a provisioning package to configure kiosk mode, you use the [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to specify applications. The CSP uses [Application User Model IDs (AUMIDs)](https://docs.microsoft.com/windows/configuration/find-the-application-user-model-id-of-an-installed-app) to identify applications. The following table lists the AUMIDs of some in-box applications that you can use in a multi-app kiosk. + +> [!CAUTION] +> You cannot select the Shell app as a kiosk app. Addition, we recommend that you do **not** select Microsoft Edge, Microsoft Store, or File Explorer as a kiosk app. + + + +|App Name |AUMID | +| --- | --- | +|3D Viewer |Microsoft.Microsoft3DViewer\_8wekyb3d8bbwe\!Microsoft.Microsoft3DViewer | +|Calendar |microsoft.windowscommunicationsapps\_8wekyb3d8bbwe\!microsoft.windowslive.calendar | +|Camera1, 2 |HoloCamera\_cw5n1h2txyewy\!HoloCamera | +|Cortana3 |Microsoft.549981C3F5F10\_8wekyb3d8bbwe\!App | +|Device Picker |HoloDevicesFlow\_cw5n1h2txyewy\!HoloDevicesFlow | +|Dynamics 365 Guides |Microsoft.Dynamics365.Guides\_8wekyb3d8bbwe\!MicrosoftGuides | +|Dynamics 365 Remote Assist |Microsoft.MicrosoftRemoteAssist\_8wekyb3d8bbwe\!Microsoft.RemoteAssist | +|Feedback Hub |Microsoft.WindowsFeedbackHub\_8wekyb3d8bbwe\!App | +|File Explorer |c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App | +|Mail |microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail | +|Microsoft Store |Microsoft.WindowsStore_8wekyb3d8bbwe!App | +|Miracast4 |  | +|Movies & TV |Microsoft.ZuneVideo\_8wekyb3d8bbwe\!Microsoft.ZuneVideo | +|OneDrive |microsoft.microsoftskydrive\_8wekyb3d8bbwe\!App | +|Photos |Microsoft.Windows.Photos\_8wekyb3d8bbwe\!App | +|Settings |HolographicSystemSettings\_cw5n1h2txyewy\!App | +|Tips |Microsoft.HoloLensTips\_8wekyb3d8bbwe\!HoloLensTips | + +> 1 To enable photo or video capture, you have to enable the Camera app as a kiosk app. +> 2 When you enable the Camera app, be aware of the following conditions: +> - The Quick Actions menu includes the Photo and Video buttons. +> - You should also enable an app (such as Photos, Mail, or OneDrive) that can interact with or retrieve pictures. +> +> 3 Even if you do not enable Cortana as a kiosk app, built-in voice commands are enabled. However, commands that are related to disabled features have no effect. +> 4 You cannot enable Miracast directly. To enable Miracast as a kiosk app, enable the Camera app and the Device Picker app. + +### Plan user and device groups + +In an MDM environment, you use groups to manage device configurations and user access. + +The kiosk configuration profile includes the **User logon type** setting. **User logon type** identifies the user (or group that contains the users) who can use the app or apps that you add. If a user signs in by using an account that is not included in the configuration profile, that user cannot use apps on the kiosk. + +> [!NOTE] +> The **User logon type** of a single-app kiosk specifies a single user account. This is the user context under which the kiosk runs. The **User logon type** of a multi-app kiosk can specify one or more user accounts or groups that can use the kiosk. + +Before you can deploy the kiosk configuration to a device, you have to *assign* the kiosk configuration profile to a group that contains the device or a user who can sign in to the device. This setting produces behavior such as the following. + +- If the device is a member of the assigned group, the kiosk configuration deploys to the device the first time that any user signs in on the device. +- If the device is not a member of the assigned group, but a user who is a member of that group signs in, the kiosk configuration deploys to the device at that time. + +For a full discussion of the effects of assigning configuration profiles in Intune, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/configuration/device-profile-assign). + +> [!NOTE] +> The following examples describe multi-app kiosks. Single-app kiosks behave in a similar manner, but only one user account gets the kiosk experience. + +**Example 1** + +You use a single group (Group 1) for both devices and users. One device and users A, B, and C are members of this group. You configure the kiosk configuration profile as follows: + +- **User logon type**: Group 1 +- **Assigned group**: Group 1 + +Regardless of which user signs on to the device first (and goes through the Out-of-Box Experience, or OOBE), the kiosk configuration deploys to the device. Users A, B, and C can all sign in to the device and get the kiosk experience. + +**Example 2** + +You contract out devices to two different vendors who need different kiosk experiences. Both vendors have users, and you want all the users to have access to kiosks from both their own vendor and the other vendor. You configure groups as follows: + +- Device Group 1: + - Device 1 (Vendor 1) + - Device 2 (Vendor 1) + +- Device Group 2: + - Device 3 (Vendor 2) + - Device 4 (Vendor 2) + +- User Group: + - User A (Vendor 1) + - User B (Vendor 2) + +You create two kiosk configuration profiles that have the following settings: + +- Kiosk Profile 1: + - **User logon type**: User Group + - **Assigned group**: Device Group 1 + +- Kiosk Profile 2: + - **User logon type**: User Group + - **Assigned group**: Device Group 2 + +These configurations produce the following results: + +- When any user signs in to Device 1 or Device 2, Intune deploys Kiosk Profile 1 to that device. +- When any user signs in to Device 3 or Device 4, Intune deploys Kiosk Profile 2 to that device. +- User A and user B can sign in to any of the four devices. If they sign in to Device 1 or Device 2, they see the Vendor 1 kiosk experience. If they sign in to Device 3 or Device 4, they see the Vendor 2 kiosk experience. + +#### Profile conflicts + +If two or more kiosk configuration profiles target the same device, they conflict. In the case of Intune-managed devices, Intune does not apply any of the conflicting profiles. + +Other kinds of profiles and policies, such as device restrictions that are not related to the kiosk configuration profile, do not conflict with the kiosk configuration profile. + +### Select a deployment method + +You can select one of the following methods to deploy kiosk configurations: + +- [Microsoft Intune or other mobile device management (MDM) service](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) + +- [Provisioning package](#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) + +- [Windows Device Portal](#use-the-windows-device-portal-to-set-up-a-single-app-kiosk) + + > [!NOTE] + > Because this method requires that Developer Mode be enabled on the device, we recommend that you use it only for demonstrations. + +The following table lists the capabilities and benefits of each of the deployment methods. + +|   |Deploy by using Windows Device Portal |Deploy by using a provisioning package |Deploy by using MDM | +| --------------------------- | ------------- | -------------------- | ---- | +|Deploy single-app kiosks | Yes | Yes | Yes | +|Deploy multi-app kiosks | No | Yes | Yes | +|Deploy to local devices only | Yes | Yes | No | +|Deploy by using Developer Mode |Required | Not required | Not required | +|Deploy by using Azure Active Directory (AAD) | Not required | Not required | Required | +|Deploy automatically | No | No | Yes | +|Deployment speed | Fastest | Fast | Slow | +|Deploy at scale | Not recommended | Not recommended | Recommended | + +## Use Microsoft Intune or other MDM to set up a single-app or multi-app kiosk + +To set up kiosk mode by using Microsoft Intune or another MDM system, follow these steps. + +1. [Prepare to enroll the devices](#mdmenroll). +1. [Create a kiosk configuration profile](#mdmprofile). +1. Configure the kiosk. + - [Configure the settings for a single-app kiosk](#mdmconfigsingle). + - [Configure the settings for a multi-app kiosk](#mdmconfigmulti). +1. [Assign the kiosk configuration profile to a group](#mdmassign). +1. Deploy the devices. + - [Deploy a single-app kiosk](#mdmsingledeploy). + - [Deploy a multi-app kiosk](#mdmmultideploy). + +### MDM, step 1 – Prepare to enroll the devices + +You can configure your MDM system to enroll HoloLens devices automatically when the user first signs in, or have users enroll devices manually. The devices also have to be joined to your Azure AD domain, and assigned to the appropriate groups. + +For more information about how to enroll the devices, see [Enroll HoloLens in MDM](hololens-enroll-mdm.md) and [Intune enrollment methods for Windows devices](https://docs.microsoft.com/mem/intune/enrollment/windows-enrollment-methods). + +### MDM, step 2 – Create a kiosk configuration profile + +1. Open the [Azure](https://portal.azure.com/) portal and sign in to your Intune administrator account. +1. Select **Microsoft Intune** > **Device configuration - Profiles** > **Create profile**. +1. Enter a profile name. +1. Select **Platform** > **Windows 10 and later**, and then select **Profile type** >**Device restrictions**. +1. Select **Configure** > **Kiosk**, and then select one of the following: + - To create a single-app kiosk, select **Kiosk Mode** > **Single-app kiosk**. + - To create a multi-app kiosk, select **Kiosk Mode** > **Multi-app kiosk**. +1. To start configuring the kiosk, select **Add**. + +Your next steps differ depending on the type of kiosk that you want. For more information, select one of the following options: + +- [Single-app kiosk](#mdmconfigsingle) +- [Multi-app kiosk](#mdmconfigmulti) + +For more information about how to create a kiosk configuration profile, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/configuration/kiosk-settings). + +### MDM, step 3 (single-app) – Configure the settings for a single-app kiosk + +This section summarizes the settings that a single-app kiosk requires. For more details, see the following articles: + +- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). +- For more information about the available settings for single-app kiosks in Intune, see [Single full-screen app kiosks](https://docs.microsoft.com/intune/configuration/kiosk-settings-holographic#single-full-screen-app-kiosks) +- For other MDM services, check your provider's documentation for instructions. If you have to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). + +1. Select **User logon type** > **Local user account**, and then enter the user name of the local (device) account or Microsoft Account (MSA) that can sign in to the kiosk. + > [!NOTE] + > **Autologon** user account types aren't supported on Windows Holographic for Business. +1. Select **Application type** > **Store app**, and then select an app from the list. + +Your next step is to [assign](#mdmassign) the profile to a group. + +### MDM, step 3 (multi-app) – Configure the settings for a multi-app kiosk + +This section summarizes the settings that a multi-app kiosk requires. For more detailed information, see the following articles: + +- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). +- For more information about the available settings for multi-app kiosks in Intune, see [Multi-app kiosks](https://docs.microsoft.com/mem/intune/configuration/kiosk-settings-holographic#multi-app-kiosks) +- For other MDM services, check your provider's documentation for instructions. If you need to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). If you use an XML file, make sure to include the [Start layout](#start-layout-for-hololens). +- You can optionally use a custom Start layout with Intune or other MDM services. For more information, see [Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others). + +1. Select **Target Windows 10 in S mode devices** > **No**. + >[!NOTE] + > S mode isn't supported on Windows Holographic for Business. +1. Select **User logon type** > **Azure AD user or group** or **User logon type** > **HoloLens visitor**, and then add one or more user groups or accounts. + + Only users who belong to the groups or accounts that you specify in **User logon type** can use the kiosk experience. + +1. Select one or more apps by using the following options: + - To add an uploaded line-of-business app, select **Add store app** and then select the app that you want. + - To add an app by specifying its AUMID, select **Add by AUMID** and then enter the AUMID of the app. [See the list of available AUMIDs](#aumids) + +Your next step is to [assign](#mdmassign) the profile to a group. + +### MDM, step 4 – Assign the kiosk configuration profile to a group + +Use the **Assignments** page of the kiosk configuration profile to set where you want the kiosk configuration to deploy. In the simplest case, you assign the kiosk configuration profile to a group that will contain the HoloLens device when the device enrolls in MDM. + +### MDM, step 5 (single-app) – Deploy a single-app kiosk + +When you use an MDM system, you can enroll the device in MDM during OOBE. After OOBE finishes, signing in to the device is easy. + +During OOBE, follow these steps: + +1. Sign in by using the account that you specified in the kiosk configuration profile. +1. Enroll the device. Make sure that the device is added to the group that the kiosk configuration profile is assigned to. +1. Wait for OOBE to finish, for the store app to download and install, and for policies to be applied. Then restart the device. + +The next time you sign in to the device, the kiosk app should automatically start. + +If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor). + +### MDM, step 5 (multi-app) – Deploy a multi-app kiosk + +When you use an MDM system, you can join the device to your Azure AD tenant and enroll the device in MDM during OOBE. If appropriate, provide the enrollment information to the users so that they have it available during the OOBE process. + +> [!NOTE] +> If you have assigned the kiosk configuration profile to a group that contains users, make sure that one of those user accounts is the first account to sign in to the device. + +During OOBE, follow these steps: + +1. Sign in by using the account that belongs to the **User logon type** group. +1. Enroll the device. +1. Wait for any apps that are part of the kiosk configuration profile to download and install. Also, wait for policies to be applied. +1. After OOBE finishes, you can install additional apps from the Microsoft store or by sideloading. [Required apps](https://docs.microsoft.com/mem/intune/apps/apps-deploy#assign-an-app) for the group that the device belongs to install automatically. +1. After the installation finishes, restart the device. + +The next time you sign in to the device by using an account that belongs to the **User logon type**, the kiosk app should automatically launch. + +If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor). + +## Use a provisioning package to set up a single-app or multi-app kiosk + +To set up kiosk mode by using a provisioning package, follow these steps. + +1. [Create an XML file that defines the kiosk configuration.](#ppkioskconfig), including a [Start layout](#start-layout-for-hololens). +2. [Add the XML file to a provisioning package.](#ppconfigadd) +3. [Apply the provisioning package to HoloLens.](#ppapply) + +### Provisioning package, step 1 – Create a kiosk configuration XML file + +Follow [the general instructions to create a kiosk configuration XML file for Windows desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#create-xml-file), except for the following: + +- Do not include Classic Windows applications (Win32). HoloLens does not support these applications. +- Use the [placeholder Start layout XML](#start-layout-for-hololens) for HoloLens. +- Optional: Add guest access to the kiosk configuration + +#### Optional: Add guest access to the kiosk configuration + +In the [**Configs** section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured to support the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data that is associated with the account is deleted when the account signs out. + +To enable the **Guest** account, add the following snippet to your kiosk configuration XML: ```xml - - - - - - - - - + + + + + + ``` -### Start layout for a provisioning package +#### Placeholder Start layout for HoloLens -You will [create an XML file](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file. +If you use a [provisioning package](##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Windows Holographic for Business. Therefore, you'll have to use a placeholder Start layout. + +> [!NOTE] +> Because a single-app kiosk starts the kiosk app when a user signs in, it does not use a Start menu and does not have to have a Start layout. + +> [!NOTE] +> If you use [MDM](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) to set up a multi-app kiosk, you can optionally use a Start layout. For more information, see [Placeholder Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others). + +For the Start layout, add the following **StartLayout** section to the kiosk provisioning XML file: ```xml @@ -104,116 +383,94 @@ You will [create an XML file](#set-up-kiosk-mode-using-a-provisioning-package-wi ``` -## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803) +#### Placeholder Start layout file for MDM (Intune and others) -For HoloLens devices that are managed by Microsoft Intune, directions can be found [here](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). +Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). -For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-a-kiosk-configuration-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file. - -## Set up kiosk mode using a provisioning package (Windows 10, version 1803) - -Process: -1. [Create an XML file that defines the kiosk configuration.](#create-a-kiosk-configuration-xml-file) -2. [Add the XML file to a provisioning package.](#add-the-kiosk-configuration-xml-file-to-a-provisioning-package) -3. [Apply the provisioning package to HoloLens.](#apply-the-provisioning-package-to-hololens) - -### Create a kiosk configuration XML file - -Follow [the instructions for creating a kiosk configuration XML file for desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package), with the following exceptions: - -- Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens. -- Use the [placeholder Start XML](#start-layout-for-hololens) for HoloLens. - -#### Add guest access to the kiosk configuration (optional) - -In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out. - -Use the following snippet in your kiosk configuration XML to enable the **Guest** account: +> [!NOTE] +> If you have to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-hololens). ```xml - - - - - - + + + + + + + + + ``` -### Add the kiosk configuration XML file to a provisioning package +### Prov. package, step 2 – Add the kiosk configuration XML file to a provisioning package 1. Open [Windows Configuration Designer](https://www.microsoft.com/store/apps/9nblggh4tx22). -2. Choose **Advanced provisioning**. -3. Name your project, and click **Next**. -4. Choose **Windows 10 Holographic** and click **Next**. -5. Select **Finish**. The workspace for your package opens. -6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**. -7. In the center pane, click **Browse** to locate and select the kiosk configuration XML file that you created. +1. Select **Advanced provisioning**, enter a name for your project, and then select **Next**. +1. Select **Windows 10 Holographic**, and then select **Next**. +1. Select **Finish**. The workspace for your package opens. +1. Select **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**. +1. In the center pane, select **Browse** to locate and select the kiosk configuration XML file that you created. - ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) + ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](./images/multiappassignedaccesssettings.png) -8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. -9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. -10. On the **File** menu, select **Save.** -11. On the **Export** menu, select **Provisioning package**. -12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +1. **Optional**. (If you want to apply the provisioning package after the initial setup of the device, and there is an admin user already available on the kiosk device, skip this step.) Select **Runtime settings** > **Accounts** > **Users**, and then create a user account. Provide a user name and password, and then select **UserGroup** > **Administrators**. + + By using this account, you can view the provisioning status and logs. +1. **Optional**. (If you already have a non-admin account on the kiosk device, skip this step.) Select **Runtime settings** > **Accounts** > **Users**, and then create a local user account. Make sure that the user name is the same as for the account that you specify in the configuration XML. Select **UserGroup** > **Standard Users**. +1. Select **File** > **Save**. +1. Select **Export** > **Provisioning package**, and then select **Owner** > **IT Admin**. This sets the precedence of this provisioning package higher than provisioning packages that are applied to this device from other sources. +1. Select **Next**. +1. On the **Provisioning package security** page, select a security option. + > [!IMPORTANT] + > If you select **Enable package signing**, you also have to select a valid certificate to use for signing the package. To do this, select **Browse** and select the certificate that you want to use to sign the package. + + > [!CAUTION] + > Do not select **Enable package encryption**. On HoloLens devices, this setting causes provisioning to fail. +1. Select **Next**. +1. Specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. If you want to change the output location, select **Browse**. When you are finished, select **Next**. +1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The build page displays the project information, and the progress bar indicates the build status. -13. On the **Provisioning package security** page, do not select **Enable package encryption** or provisioning will fail on HoloLens. You can choose to enable package signing. +### Provisioning package, step 3 – Apply the provisioning package to HoloLens - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. +The "Configure HoloLens by using a provisioning package" article provides detailed instructions to apply the provisioning package under the following circumstances: -14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location. +- You can initially [apply a provisioning package to HoloLens during setup](hololens-provisioning.md#apply-a-provisioning-package-to-hololens-during-setup). -15. Click **Next**. +- You can also [apply a provisioning package to HoloLens after setup](hololens-provisioning.md#4-apply-a-provisioning-package-to-hololens-after-setup). -16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +## Use the Windows Device Portal to set up a single-app kiosk +To set up kiosk mode by using the Windows Device Portal, follow these steps. + +> [!IMPORTANT] +> Kiosk mode is available only if the device has [Windows Holographic for Business](hololens1-upgrade-enterprise.md) installed. + +1. [Set up the HoloLens device to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. + + > [!CAUTION] + > When you set up HoloLens to use the Device Portal, you have to enable Developer Mode on the device. Developer Mode on a device that has Windows Holographic for Business enables you to side-load apps. However, this setting creates a risk that a user can install apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable Developer Mode by using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider). [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode) -### Apply the provisioning package to HoloLens +1. On a computer, connect to the HoloLens by using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_usb). -1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). - -3. HoloLens will show up as a device in File Explorer on the PC. - -4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage. - -5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page. - -6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package. - -7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE. - - -## Set up kiosk mode using the Windows Device Portal (Windows 10, version 1607 and version 1803) - -1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. - - > [!IMPORTANT] - > When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode) - -2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb). - -3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up. +1. Do one of the following: + - If you are connecting to the Windows Device Portal for the first time, [create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#creating_a_username_and_password) + - Enter the user name and password that you previously set up. > [!TIP] - > If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate). + > If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#security_certificate). -4. In the Windows Device Portal, click **Kiosk Mode**. +1. In the Windows Device Portal, select **Kiosk Mode**. + +1. Select **Enable Kiosk Mode**, select an app to run when the device starts, and then select **Save**. ![Kiosk Mode](images/kiosk.png) - - > [!NOTE] - > The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md). - -5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**. - -## Kiosk app recommendations - -- You cannot select Microsoft Edge, Microsoft Store, or the Shell app as a kiosk app. -- We recommend that you do **not** select the Settings app and the File Explorer app as a kiosk app. -- You can select Cortana as a kiosk app. -- To enable photo or video capture, the HoloCamera app must be enabled as a kiosk app. +1. Restart HoloLens. If you still have your Device Portal page open, you can select **Restart** at the top of the page. ## More information -Watch how to configure a kiosk in a provisioning package. +Watch how to configure a kiosk by using a provisioning package. > [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] diff --git a/devices/hololens/hololens-known-issues.md b/devices/hololens/hololens-known-issues.md index e3ac50bec3..de39da5999 100644 --- a/devices/hololens/hololens-known-issues.md +++ b/devices/hololens/hololens-known-issues.md @@ -4,7 +4,7 @@ description: This is the list of known issues that may affect HoloLens developer keywords: troubleshoot, known issue, help author: mattzmsft ms.author: mazeller -ms.date: 8/30/2019 +ms.date: 4/20/2020 ms.topic: article ms.custom: - CI 111456 @@ -13,14 +13,60 @@ HoloLens and holograms: Frequently asked questions manager: jarrettr ms.prod: hololens appliesto: -- HoloLens 1 +- HoloLens (1st Gen) +- HoloLens 2 --- # Known issues for HoloLens -This is the current list of known issues for HoloLens that affect developers. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates. +This is the current list of known issues for HoloLens devices. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates. -## Unable to connect and deploy to HoloLens through Visual Studio +>[!NOTE] +> - If you discover an issue that is not blocking you please report it on your HoloLens device via [Feedback Hub](hololens-feedback.md). +> - If the issue you are facing is blocking you, in addtion to filing feedback, please [file a support request](https://aka.ms/hlsupport). + +- [Known issues for all HoloLens generations](#known-issues-for-all-hololens-generations) +- [Known issues for HoloLens 2 devices](#known-issues-for-hololens-2-devices) +- [Known issues for HoloLens (1st Gen)](#known-issues-for-hololens-1st-gen) +- [Known issues for HoloLens emulator](#known-issues-for-hololens-emulator) + +## Known issues for all HoloLens generations + +### Unity + +- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Unity recommended for HoloLens development. +- Known issues with the Unity HoloLens Technical Preview are documented in the [HoloLens Unity forums](https://forum.unity3d.com/threads/known-issues.394627/). + +### Windows Device Portal + +- The Live Preview feature in Mixed Reality capture may exhibit several seconds of latency. +- On the Virtual Input page, the Gesture and Scroll controls under the Virtual Gestures section are not functional. Using them will have no effect. The virtual keyboard on the same page works correctly. +- After enabling Developer Mode in Settings, it may take a few seconds before the switch to turn on the Device Portal is enabled. + +## Known issues for HoloLens 2 devices + +### Blue screen is shown after unenrolling from Insider preview builds on a device reflashed with a Insider build + +This is an issue affecting that affects users who are were on an Insider preview build, reflashed their HoloLens 2 with a new insider preview build, and then unenrolled from the Insider program. + +This does not affect: +- Users who are not enrolled in Windows Insider +- Insiders: + - If a device has been enrolled since Insider builds were version 18362.x + - If they flashed a Insider signed 19041.x build AND stay enrolled in the Insider program + +Work-around: +- Avoid the issue + - Flash a non-insider build. One of the regular monthly updates. + - Stay on Insider Preview +- Reflash the device + 1. Put the [HoloLens 2 into flashing mode](https://review.docs.microsoft.com/hololens/hololens-recovery?branch=master#hololens-2) manually by fully powering down while not connect. Then while holding Volume up, tap the Power button. + 1. Connect to the PC and open Advanced Recovery Companion. + 1. Flash the HoloLens 2 to the default build. + +## Known issues for HoloLens (1st Gen) + +### Unable to connect and deploy to HoloLens through Visual Studio > [!NOTE] > Last Update: 8/8 @ 5:11PM - Visual Studio has released VS 2019 Version 16.2 which includes a fix to this issue. We recommend updating to this newest version to avoid experiencing this error. @@ -29,7 +75,7 @@ Visual Studio has released VS 2019 Version 16.2 which includes a fix to this iss Issue root-cause: Users who used Visual Studio 2015 or early releases of Visual Studio 2017 to deploy and debug applications on their HoloLens and then subsequently used the latest versions of Visual Studio 2017 or Visual Studio 2019 with the same HoloLens will be affected. The newer releases of Visual Studio deploy a new version of a component, but files from the older version are left over on the device, causing the newer version to fail. This causes the following error message: DEP0100: Please ensure that target device has developer mode enabled. Could not obtain a developer license on \ due to error 80004005. -### Workaround +#### Workaround Our team is currently working on a fix. In the meantime, you can use the following steps to work around the issue and help unblock deployment and debugging: @@ -79,7 +125,7 @@ Our team is currently working on a fix. In the meantime, you can use the followi We will provide further updates as they become available. -## Issues launching the Microsoft Store and apps on HoloLens +### Issues launching the Microsoft Store and apps on HoloLens > [!NOTE] > Last Update: 4/2 @ 10 AM - Issue resolved. @@ -126,38 +172,27 @@ If your device is still unable to load apps, you can sideload a version of the . We appreciate your patience as we have gone through the process to get this issue resolved, and we look forward to continued working with our community to create successful Mixed Reality experiences. -## Device Update +### Device Update - 30 seconds after a new update, the shell may disappear one time. Please perform the **bloom** gesture to resume your session. -## Visual Studio +### Visual Studio - See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Visual Studio that is recommended for HoloLens development. - When deploying an app from Visual Studio to your HoloLens, you may see the error: **The requested operation cannot be performed on a file with a user-mapped section open. (Exception from HRESULT: 0x800704C8)**. If this happens, try again and your deployment will generally succeed. -## Emulator - -- Not all apps in the Microsoft Store are compatible with the emulator. For example, Young Conker and Fragments are not playable on the emulator. -- You cannot use the PC webcam in the Emulator. -- The Live Preview feature of the Windows Device Portal does not work with the emulator. You can still capture Mixed Reality videos and images. - -## Unity - -- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Unity recommended for HoloLens development. -- Known issues with the Unity HoloLens Technical Preview are documented in the [HoloLens Unity forums](https://forum.unity3d.com/threads/known-issues.394627/). - -## Windows Device Portal - -- The Live Preview feature in Mixed Reality capture may exhibit several seconds of latency. -- On the Virtual Input page, the Gesture and Scroll controls under the Virtual Gestures section are not functional. Using them will have no effect. The virtual keyboard on the same page works correctly. -- After enabling Developer Mode in Settings, it may take a few seconds before the switch to turn on the Device Portal is enabled. - -## API +### API - If the application sets the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) behind the user or the normal to camera.forward, holograms will not appear in Mixed Reality Capture photos or videos. Until this bug is fixed in Windows, if applications actively set the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) they should ensure the plane normal is set opposite camera-forward (for example, normal = -camera.forward). -## Xbox Wireless Controller +### Xbox Wireless Controller - Xbox Wireless Controller S must be updated before it can be used with HoloLens. Ensure you are [up to date](https://support.xbox.com/xbox-one/accessories/update-controller-for-stereo-headset-adapter) before attempting to pair your controller with a HoloLens. - If you reboot your HoloLens while the Xbox Wireless Controller is connected, the controller will not automatically reconnect to HoloLens. The Guide button light will flash slowly until the controller powers off after 3 minutes. To reconnect your controller immediately, power off the controller by holding the Guide button until the light turns off. When you power your controller on again, it will reconnect to HoloLens. - If your HoloLens enters standby while the Xbox Wireless Controller is connected, any input on the controller will wake the HoloLens. You can prevent this by powering off your controller when you are done using it. + +## Known issues for HoloLens emulator + +- Not all apps in the Microsoft Store are compatible with the emulator. For example, Young Conker and Fragments are not playable on the emulator. +- You cannot use the PC webcam in the Emulator. +- The Live Preview feature of the Windows Device Portal does not work with the emulator. You can still capture Mixed Reality videos and images. diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md index 4bd8b317ef..67860a5dd0 100644 --- a/devices/hololens/hololens-multiple-users.md +++ b/devices/hololens/hololens-multiple-users.md @@ -9,7 +9,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 09/16/2019 ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) - HoloLens 2 @@ -37,7 +37,7 @@ To use HoloLens, each user follows these steps: 1. If another user has been using the device, do one of the following: - Press the power button once to go to standby, and then press the power button again to return to the lock screen - - HoloLens 2 users may select the user tile on the top of the Pins panel to sign out the current user. + - HoloLens 2 users may select the user tile from the Start menu to sign out the current user. 1. Use your Azure AD account credentials to sign in to the device. If this is the first time that you have used the device, you have to [calibrate](hololens-calibration.md) HoloLens to your own eyes. diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index 70edc38d5e..197084ced1 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -16,7 +16,7 @@ ms.custom: ms.localizationpriority: medium ms.date: 03/10/2020 ms.reviewer: Teresa-Motiv -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) - HoloLens 2 @@ -33,7 +33,7 @@ Some of the HoloLens configurations that you can apply in a provisioning package - Set up a Wi-Fi connection - Apply certificates to the device - Enable Developer Mode -- Configure Kiosk mode (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803). +- Configure Kiosk mode (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk). ## Provisioning package HoloLens wizard @@ -49,7 +49,7 @@ The HoloLens wizard helps you configure the following settings in a provisioning - Enroll the device in Azure Active Directory, or create a local account - Add certificates - Enable Developer Mode -- Configure kiosk mode (for detailed instructions,see [Set up kiosk mode using a provisioning package](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) +- Configure kiosk mode. (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk)). > [!WARNING] > You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. @@ -64,6 +64,8 @@ Provisioning packages can include management instructions and policies, custom n 1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). This includes HoloLens 2 capabilities. 2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configuration Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. This option does not include HoloLens 2 capabilities. +> [!NOTE] +> If you know you will be using an offline PC that needs access to Windows Configuration Designer please follow the offline app install [here](https://docs.microsoft.com/hololens/hololens-recovery#downloading-arc-without-using-the-app-store) for Advanced Recovery Companion but making Windows Confiugration Desinger your selection instead. ### 2. Create the provisioning package diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md index 60d46d7e1c..8ef5f12b0a 100644 --- a/devices/hololens/hololens-recovery.md +++ b/devices/hololens/hololens-recovery.md @@ -7,7 +7,7 @@ ms.prod: hololens ms.sitesec: library author: mattzmsft ms.author: mazeller -ms.date: 08/30/2019 +ms.date: 04/27/2020 ms.custom: - CI 111456 - CSSTroubleshooting @@ -82,7 +82,7 @@ If you're still having problems, press the power button for 4 seconds, until all If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that's installed on it and returns everything else to factory settings. -If you reset your device, all your personal data, apps, and settings will be erased. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth). +If you reset your device, all your personal data, apps, and settings will be erased, including TPM reset. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth). 1. Launch the Settings app, and then select **Update** > **Reset**. 1. Select the **Reset device** option and read the confirmation message. @@ -100,7 +100,7 @@ All of the data HoloLens needs to reset is packaged in a Full Flash Update (ffu) ### HoloLens 2 -The Advanced Recovery Companion is a new app in Microsoft Store restore the operating system image to your HoloLens 2 device. +The Advanced Recovery Companion is a new app in Microsoft Store restore the operating system image to your HoloLens 2 device. Advanced Recovery Companion erases all your personal data, apps, and settings, and resets TPM. 1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store. 2. Connect HoloLens 2 to your computer. @@ -109,6 +109,8 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper 5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.) 6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device. +#### Manual flashing mode + > [!TIP] > In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion: @@ -117,6 +119,38 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper 1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device. 1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2. +#### Downloading ARC without using the app store + +If an IT environment prevents the use of the Windows Store app or limits access to the retail store, IT administrators can make this app available through other ‘offline’ deployment paths. + +- This process may also be used for other apps, as seen in step 2. This guide will focus on Advanced Recovery Companion, but my be modified for other offline apps. + +This deployment path can be enabled with the following steps: +1. Go to the [Store For Business website](https://businessstore.microsoft.com) and sign-in with an Azure AD identity. +1. Go to **Manage – Settings**, and turn on **Show offline apps** under **Shopping experience** as described at https://businessstore.microsoft.com/manage/settings/shop +1. Go to **shop for my group** and search for the [Advanced Recovery Companion](https://businessstore.microsoft.com/store/details/advanced-recovery-companion/9P74Z35SFRS8) app. +1. Change the **License Type** box to offline and click **Manage**. +1. Under Download the package for offline use click the second blue **“Download”** button . Ensure the file extension is .appxbundle. +1. At this stage, if the Desktop PC has Internet access, simply double click and install. +1. The IT administrator can also distribute this app through System Center Configuration Manager (SCCM) or Intune. +1. If the target PC has no Internet connectivity, some additional steps are needed: + 1. Select the unencoded license and click **“Generate license”** and under **“Required Frameworks”** click **“Download.”** + 1. PCs without internet access will need to use DISM to apply the package with the dependency and license. In an administrator command prompt, type: + + ```console + C:\WINDOWS\system32>dism /online /Add-ProvisionedAppxPackage /PackagePath:"C:\ARCoffline\Microsoft.AdvancedRecoveryCompanion_1.19050.1301.0_neutral_~_8wekyb3d8bbwe.appxbundle" /DependencyPackagePath:"C:\ARCoffline\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x86__8wekyb3d8bbwe.appx" /LicensePath:"C:\ARCoffline\Microsoft.AdvancedRecoveryCompanion_8wekyb3d8bbwe_f72ce112-dd2e-d771-8827-9cbcbf89f8b5.xml" /Region:all + ``` +> [!NOTE] +> The version number in this code example may not match the currently avalible version. You may have also choosen a different download location than in the example given. Please make sure to make any changes as needed. + +> [!TIP] +> When planning to use Advanced Recovery Companion to install an ffu offline it may be useful to download your flashing image to be availible, here is the [current image for HoloLens 2](https://aka.ms/hololens2download). + +Other resources: +- https://docs.microsoft.com/microsoft-store/distribute-offline-apps +- https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-app-package--appx-or-appxbundle--servicing-command-line-options + + ### HoloLens (1st gen) If necessary, you can install a completely new operating system on your HoloLens (1st gen) with the Windows Device Recovery Tool. diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index 79c2e77dc1..38e382a7b6 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -1,32 +1,218 @@ --- -title: HoloLens release notes +title: HoloLens 2 release notes description: Learn about updates in each new HoloLens release. author: scooley ms.author: scooley -manager: dansimp +manager: laurawi ms.prod: hololens ms.sitesec: library ms.topic: article ms.localizationpriority: medium -ms.date: 12/02/2019 +ms.date: 06/9/2020 ms.custom: - CI 111456 - CSSTroubleshooting audience: ITPro appliesto: -- HoloLens 1 - HoloLens 2 --- -# HoloLens release notes +# HoloLens 2 release notes -## HoloLens 2 +## Windows Holographic, version 2004 - June 2020 Update +- Build 19041.1106 + +Improvements and fixes in the update: + +- Custom MRC recorders have new default values for certain properties if they aren't specified. + - On the MRC Video Effect: + - PreferredHologramPerspective (1 PhotoVideoCamera) + - GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset)) + - On the MRC Audio Effect: + - LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal) + - MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal) +- This update contains a bug fix that improves audio quality in Mixed Reality Capture scenarios. Specifically, it should eliminate any audio glitching in the recording when the Start Menu is displayed. +- Improved hologram stability in recorded videos. +- Resolves an issue where mixed reality capture couldn't record video after device is left in standby state for multiple days. +- The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher. +- When accessing Device Portal over a WiFi connection, a web browser might prevent access to due to an invalid certificate, reporting an error such as "ERR_SSL_PROTOCOL_ERROR," even if the device certificate has previously been trusted. In this case, you would be unable to progress to Device Portal as options to ignore security warnings are not available. This update resolves the issue. If the device certificate was previously downloaded and trusted on a PC to remove browser security warnings and the SSL error has been encountered, the new certificate will need to be downloaded and trusted to address browser security warnings. +- Enabled ability to create a runtime provisioning package which can install an app using MSIX packages. +- New setting that users can find under Settings > System > Holograms, that allows users to automatically remove all holograms from the mixed reality home when the device shuts down. +- Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator. +- Fixed bug that caused a crash during Iris Login. +- Fixes an issue around repeated store downloads for already current apps. +- Fixed a bug to preventing immersive apps from launching Edge multiple times. +- Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release. +- Improved performance and reliability. + +## Windows Holographic, version 1903 - June 2020 Update +- Build 18362.1064 + +Improvements and fixes in the update: + +- Custom MRC recorders have new default values for certain properties if they aren't specified. + - On the MRC Video Effect: + - PreferredHologramPerspective (1 PhotoVideoCamera) + - GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset)) + - On the MRC Audio Effect: + - LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal) + - MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal) +- The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher. +- Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator. +- Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release. + +## Windows Holographic, version 2004 +Build - 19041.1103 + +We are excited to announce our May 2020 major software update for HoloLens 2, **Windows Holographic, version 2004**. This release includes a host of exciting new capabilities, such as support for Windows Autopilot, app dark mode, USB Ethernet support for 5G/LTE hotspots, and much more. To update to the latest release, open the **Settings app**, go to **Update & Security**, then select the **Check for Updates** button. + +| Feature | Description | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------| +| Windows Autopilot | Pre-configure and seamlessly set up new devices for production, with Windows AutoPilot | +| FIDO 2 support | Support for FIDO2 Security Keys to enable fast and secure authentication for shared devices | +| Improved provisioning | Seamlessly apply a provisioning package from a USB drive to your HoloLens | +| Application install status | Check install status for apps have been pushed to HoloLens 2 via MDM, in the Settings app | +| Configuration Service Providers (CSPs) | Added new Configuration Service Providers (CSPs) enhancing admin control capabilities. | +| USB 5G/LTE support | Expanded USB Ethernet capability enables support for 5G/LTE | +| Dark App Mode | Dark App Mode for apps that support both dark and light modes, improving the viewing experience | +| Voice Commands | Support for additional system voice commands to control HoloLens, hands-free | +| Hand Tracking improvements | Hand Tracking improvements make buttons and 2D slate interactions more accurate | +| Quality improvements and fixes | Various system performance and reliability improvements across the platform | > [!Note] > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive). -### Coming Soon +### Support for Windows Autopilot + +Windows Autopilot for HoloLens 2 lets the device sales channel pre-enroll HoloLens into your Intune tenant. When devices arrive, they’re ready to self-deploy as shared devices under your tenant. To take advantage of self-deployment, devices will need to connect to a network during the first screen in setup using either a USB-C to ethernet dongle or USB-C to LTE dongle. + +When a user starts the Autopilot self-deploying process, the process completes the following steps: + +1. Join the device to Azure Active Directory (Azure AD). +1. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service). +1. Download the device-targeted policies, certificates, and networking profiles. +1. Provision the device. +1. Present the sign-in screen to the user. + +Learn more from the [Windows Autopilot for HoloLens 2 evaluation guide](https://docs.microsoft.com/hololens/hololens2-autopilot). + +**Contact your Account Manager to join the AutoPilot preview now. Autopilot-ready devices will begin shipping soon.** + +### FIDO2 Security Key support + +Many of you share a HoloLens device with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long usernames and passwords. + +FIDO lets anyone in your organization (AAD tenant) seamlessly sign into HoloLens without entering a username or password. + +FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign-in to their resources without a username or password using an external security key or a platform key built into a device. + +Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started. + +### Improved MDM enrollment via provisioning package + +Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel. In addition, provisioning packages support a new field to enroll in device management so there is no manual set up post-provisioning. + +1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC. +1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices** +1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device. +1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package. + +### Line of Business application install status + +MDM app deployment and management for Line of Business (LOB) apps is critical for our customers. Admins and users need to be able to view app install status, for auditing and diagnosis purposes. In this release we are adding more details in **Settings > Accounts > Access work or school > Click on your account > Info.** + +### Additional CSPs and Policies + +A [configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference?redirectedfrom=MSDN) is an interface to read, set, modify, or delete configuration settings on a device. In this release, we are adding support for more policies, increasing the control administrators have over deployed HoloLens devices. For the list of CSPs supported by HoloLens, visit this [link](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp). New in this release: + +**Policy CSP** + +The Policy configuration service provider enables the enterprise to configure policies on Windows devices. In this release, we are adding new policies for HoloLens, listed below. You can learn more about supported policies [here](https://docs.microsoft.com/windows/client-management/mdm/policies-supported-by-hololens2). + +- LetAppsAccessCamera_ForceAllowTheseApps +- LetAppsAccessCamera_ForceDenyTheseApps +- LetAppsAccessCamera_UserInControlOfTheseApps +- LetAppsAccessGazeInput +- LetAppsAccessGazeInput_ForceAllowTheseApps +- LetAppsAccessGazeInput_ForceDenyTheseApps +- LetAppsAccessGazeInput_UserInControlOfTheseApps +- LetAppsAccessMicrophone_ForceAllowTheseApps +- LetAppsAccessMicrophone_ForceDenyTheseApps +- LetAppsAccessMicrophone_UserInControlOfTheseApps +- AllowWiFi + +**NetworkQoSPolicy CSP** +The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. You can learn more about this policy [here](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp). + +### Expanded USB Ethernet support for 5G/LTE tethered devices + +Support has been added to enable certain mobile broadband devices, such as 5G/LTE phones and WiFi hotpots when tethered to the HoloLens 2 via USB. These devices will be displayed in network settings as another ethernet connection. Mobile broadband devices that require an external driver are not supported. This enables high bandwidth connections in scenarios where WiFi is not available, and WiFi tethering isn’t performant enough. You can learn more about supported USB devices [here](https://docs.microsoft.com/hololens/hololens-connect-devices). + +### Hand Tracking Improvements + +Hand tracking has received several improvements in this release. + +- **Pointing pose stability:** The system will now resist bending the index finger when it becomes occluded by the palm. This improves accuracy when pushing buttons, typing, scrolling content, and more! +- **Reduced accidental AirTaps:** We’ve improved detection of the AirTap gesture. Now there are fewer accidental activations in several common cases, such as dropping your hands to your side. +- **User switch reliability:** The system is now faster and more reliable at updating the hand size when sharing a device back and forth. +- **Reduced hand stealing:** We’ve improved handling of cases where there are more than 2 hands in view of the sensors. If multiple people are working close together, there is now a much lower chance that the tracked hand will jump from the user to the hand of someone else in the scene. +- **System reliability:** Fixed an issue that would cause hand tracking to stop working for a period if the device is under high load. + +### Dark mode + +Many Windows apps now support both dark and light modes, and HoloLens 2 customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to Settings > System > Colors to find "Choose your default app mode." Here are some of the in-box apps that support Dark mode: + +- Settings +- Microsoft Store +- Mail +- Calendar +- File Explorer +- Feedback Hub +- OneDrive +- Photos +- 3D Viewer +- Movies & TV + +![Dark mode windows tiled](images/DarkMode.jpg) + +### System voice commands + +You can now quickly access and use commands with your voice while using any app on the device. If you're running your system with a different language, please try the appropriate commands in that language. For more details on the commands and how to use them, see our documentation [here](https://docs.microsoft.com/hololens/hololens-cortana). + +### Cortana updates + +The updated app integrates with Microsoft 365, currently in English (United States) only, to help you get more done across your devices. On HoloLens 2, Cortana will no longer support certain device-specific commands like adjusting the volume or restarting the device, which are now supported with the new system voice commands mentioned above. Learn more about the new Cortana app and its direction on our blog [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/). + +### Quality improvements and fixes + +Improvements and Fixes also in the update: +- The update introduces an active display calibration system. This improves the stability and alignment of holograms, which helps them stay in place when moving your head side-to-side. +- Fixed a bug where Wi-Fi streaming to HoloLens gets disrupted periodically. If an application indicates that it needs low latency streaming this fix is can be accomplished by calling [this function](https://docs.microsoft.com/windows/win32/api/socketapi/nf-socketapi-setsocketmediastreamingmode). +- Fixed an issue where the device could hang during streaming in research mode. +- Fixed bug where in some cases the right user would not be displayed on sign-in screen when resuming session. +- Fixed an issue where users could not export MDM logs through settings. +- Fixed an issue where the accuracy of eye tracking immediately following out-of-box-setup could be lower than specification. +- Fixed an issue where eye tracking subsystem would fail to initialize and/or perform calibration under certain conditions. +- Fixed an issue where eye calibration would be prompted for an already calibrated user. +- Fixed an issue where a driver would crash during eye calibration. +- Fixed an issue where repeated power button presses can cause a 60 second system time-out and shell crash. +- Improved stability for depth buffers. +- Added ‘Share’ button in Feedback Hub so users can more easily share feedback. +- Fixed a bug where RoboRaid did not install correctly. + +### Known issues + +- We are investigating an issue surrounding the use of the zh-CN system language that prevents the voice commands for taking a mixed reality capture or displaying the device IP address from working. +- We're investigating an issue that requires you to launch the Cortana app after booting the device in order to use the "Hey Cortana" voice activation, and if you updated from a 18362 build, you may see a second app tile for the previous version of the Cortana app in Start that no longer works. + +## Windows Holographic, version 1903 - May 2020 Update +- Build 18362.1061 + +This monthly quality update does not contain any changes of note because the team has been focused on providing you with the highest quality Feature Update now available in the Windows Holographic, version 2004 May Update detailed above. Please take this opportunity to move to the latest feature update to get a ton of exciting new changes. + +## Windows Holographic, version 1903 - April 2020 Update +- Build 18362.1059 **Dark mode for supported apps** @@ -51,100 +237,50 @@ Here are some of the in-box apps that support dark mode: - Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod DepthReprojection algorithm is used. - Fixed WinRT IStreamSocketListener API Class Not Registered error on 32-bit ARM app. -### March Update - build 18362.1056 +## Windows Holographic, version 1903 - March 2020 Update +- Build 18362.1056 + +Improvements and fixes in the update: - Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod AutoPlanar algorithm is used. - Ensures the coordinate system attached to a depth MF sample is consistent with public documentation. - Developers productivity improvement by enabling customers to paste large amount of text through device portal. -### February Update - build 18362.1053 +## Windows Holographic, version 1903 - February 2020 Update +- Build 18362.1053 + +Improvements and fixes in the update: - Temporarily disabled the HolographicSpace.UserPresence API for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. - Fixed a random HUP crash cased by hand tracking, in which user will notice an UI freeze then back to shell after several seconds. - We made an improvement in hand tracking so that while poking using index finger, the upper part of that finger will be less likely to curl unexpectedly. - Improved reliability of head tracking, spatial mapping, and other runtimes. -### January Update - build 18362.1043 +## Windows Holographic, version 1903 - January 2020 Update +- Build 18362.1043 + +Improvement in the update: - Stability improvements for exclusive apps when working with the HoloLens 2 emulator. -### December Update - build 18362.1042 +## Windows Holographic, version 1903 - December 2019 Update +- Build 18362.1042 + +Improvements and fixes in the update: - Introduces LSR (Last Stage Reproduction) fixes. Improves visual rendering of holograms to appear more stable and crisp by more accurately accounting for their depth. This will be more noticeable if apps do not set the depth of holograms correctly, after this update. - Fixes stability of exclusive apps and navigation between exclusive apps. - Resolves an issue where Mixed Reality Capture couldn't record video after device is left in standby state for multiple days. - Improves hologram stability. -### November Update - build 18362.1039 +## Windows Holographic, version 1903 - November 2019 Update +- Build 18362.1039 + +Improvements and fixes in the update: - Fixes for **"Select"** voice commands during initial set-up for en-CA and en-AU. - Improvements in visual quality of objects placed far away in latest Unity and MRTK versions. - Fixes addressing issues with holographic applications being stuck in a paused state on launch until the pins panel is brought up and dismissed again. - OpenXR runtime conformance fixes and improvements for HoloLens 2 and the emulator. -## HoloLens (1st gen) -### Windows 10 Holographic, version 1809 - -> **Applies to:** Hololens (1st gen) - -| Feature | Details | -|---|---| -| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) | -| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) | -| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. | -| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). | -| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | -| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. | -| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. | -| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. | -| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. | - -#### For international customers - -| Feature | Details | -| --- | --- | -| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) | -| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. | - -#### For administrators - -| Feature | Details | -|---|----| -| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. | -| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | -| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. | -| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in. | -| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. | -| Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. | - -### Windows 10, version 1803 for Microsoft HoloLens - -> **Applies to:** Hololens (1st gen) - -Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: - -- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md). - -- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). -- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard). - - ![Provisioning HoloLens devices](images/provision-hololens-devices.png) - -- When you create a local account in a provisioning package, the password no longer expires every 42 days. - -- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes. - -- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens. - -- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. - -- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. - -- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts. - -- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting. - -- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly. - -- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report. diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index 6cfcb281b0..c8be6947ae 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -66,7 +66,7 @@ There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk m **How to Configure Kiosk Mode:** -There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. +There are two main ways ([provisioning packages](hololens-kiosk.md#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) and [MDM](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. ### Apps and App Specific Scenarios diff --git a/devices/hololens/hololens1-release-notes.md b/devices/hololens/hololens1-release-notes.md new file mode 100644 index 0000000000..4002d4b7ea --- /dev/null +++ b/devices/hololens/hololens1-release-notes.md @@ -0,0 +1,84 @@ +--- +title: HoloLens 1st (Gen) release notes +description: Learn about updates in each new HoloLens release. +author: evmill +ms.author: v-evmill +manager: yannisle +ms.prod: hololens +ms.sitesec: library +ms.topic: article +ms.localizationpriority: medium +ms.date: 05/12/2020 +ms.custom: +- CI 111456 +- CSSTroubleshooting +audience: ITPro +appliesto: +- HoloLens 1 + +--- + +# HoloLens 1st (Gen) release notes + +### Windows 10 Holographic, version 1809 + +> **Applies to:** Hololens (1st gen) + +| Feature | Details | +|---|---| +| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

| +| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) | +| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. | +| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). | +| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | +| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. | +| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. | +| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. | +| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. | + +#### For international customers + +| Feature | Details | +| --- | --- | +| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) | +| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. | + +#### For administrators + +| Feature | Details | +|---|----| +| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. | +| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | +| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. | +| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in. | +| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. | +| Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. | + +### Windows 10, version 1803 for Microsoft HoloLens + +> **Applies to:** Hololens (1st gen) + +Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: + +- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md). + +- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). +- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard). + +- When you create a local account in a provisioning package, the password no longer expires every 42 days. + +- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes. + +- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens. + +- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. + +- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. + +- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts. + +- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting. + +- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly. + +- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report. diff --git a/devices/hololens/hololens1-upgrade-enterprise.md b/devices/hololens/hololens1-upgrade-enterprise.md index 5e535af10d..6a2e45d571 100644 --- a/devices/hololens/hololens1-upgrade-enterprise.md +++ b/devices/hololens/hololens1-upgrade-enterprise.md @@ -16,6 +16,9 @@ appliesto: # Unlock Windows Holographic for Business features +> [!IMPORTANT] +> This page only applies to HoloLens 1st Gen. + Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 that is designed for HoloLens), and in the [Commercial Suite](hololens-commercial-features.md), which provides extra features designed for business. When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. You can apply this license to the device either by using the organization's [mobile device management (MDM) provider](#edition-upgrade-by-using-mdm) or a [provisioning package](#edition-upgrade-by-using-a-provisioning-package). diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md new file mode 100644 index 0000000000..d92aee8369 --- /dev/null +++ b/devices/hololens/hololens2-autopilot.md @@ -0,0 +1,230 @@ +--- +title: Windows Autopilot for HoloLens 2 evaluation guide +description: +author: Teresa-Motiv +ms.author: v-tea +ms.date: 4/10/2020 +ms.prod: hololens +ms.topic: article +ms.custom: +- CI 116283 +- CSSTroubleshooting +audience: ITPro +ms.localizationpriority: high +keywords: autopilot +manager: jarrettr +appliesto: +- HoloLens 2 +--- + +# Windows Autopilot for HoloLens 2 evaluation guide + +When you set up HoloLens 2 devices for the Windows Autopilot program, your users can follow a simple process to provision the devices from the cloud. + +This Autopilot program supports Autopilot self-deploying mode to provision HoloLens 2 devices as shared devices under your tenant. Self-deploying mode leverages the device's preinstalled OEM image and drivers during the provisioning process. A user can provision the device without putting the device on and going through the Out-of-the-box Experience (OOBE). + +![The Autopilot self-deploying process configures shared devices in "headless" mode by using a network connection.](./images/hololens-ap-intro.png) + +When a user starts the Autopilot self-deploying process, the process completes the following steps: + +1. Join the device to Azure Active Directory (Azure AD). + > [!NOTE] + > Autopilot for HoloLens does not support Active Directory join or Hybrid Azure AD join. +1. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service). +1. Download the device-targeted policies, user-targeted apps, certificates, and networking profiles. +1. Provision the device. +1. Present the sign-in screen to the user. + +## Windows Autopilot for HoloLens 2: Get started + +The following steps summarize the process of setting up your environment for the Windows Autopilot for HoloLens 2. The rest of this section provides the details of these steps. + +1. Make sure that you meet the requirements for Windows Autopilot for HoloLens. +1. Enroll in the Windows Autopilot for HoloLens 2 program. +1. Verify that your tenant is flighted (enrolled to participate in the program). +1. Register devices in Windows Autopilot. +1. Create a device group. +1. Create a deployment profile. +1. Verify the ESP configuration. +1. Configure a custom configuration profile for HoloLens devices (known issue). +1. Verify the profile status of the HoloLens devices. + +### 1. Make sure that you meet the requirements for Windows Autopilot for HoloLens +For the latest information about how to participate in the program, review [Windows Insider Release Notes](hololens-insider.md#windows-insider-release-notes). + +Review the following sections of the Windows Autopilot requirements article: + +- [Network requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#networking-requirements) +- [Licensing requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#licensing-requirements) +- [Configuration requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#configuration-requirements) +> [!IMPORTANT] +> Unlike other Windows Autopilot programs, Windows Autopilot for HoloLens 2 has specific operating system requirements. + +Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying#requirements)" section of the Windows Autopilot Self-Deploying mode article. Your environment has to meet these requirements as well as the standard Windows Autopilot requirements. + +> [!NOTE] +> You do not have to review the "Step by step" and "Validation" sections of the article. The procedures later in this article provide corresponding steps that are specific to HoloLens. + +> [!IMPORTANT] +> For information about how to register devices and configure profiles, see [4. Register devices in Windows Autopilot](#4-register-devices-in-windows-autopilot) and [6. Create a deployment profile](#6-create-a-deployment-profile) in this article. These sections provide steps that are specific to HoloLens. + +Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements: + +- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune. +- Every device can connect to the internet. You can use "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity. +- Every device can connect to a computer by using a USB-C cable, and that computer has [Advanced Recovery Companion (ARC)](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?rtc=1&activetab=pivot:overviewtab) installed +- Every device has the latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version. + +To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). + +### 2. Enroll in the Windows Autopilot for HoloLens 2 program + +To participate in the program, you have to use a tenant that is flighted for HoloLens. To do this, go to [Windows Autopilot for HoloLens Private Preview request](https://aka.ms/APHoloLensTAP) or use the following QR code to submit a request. + +![Autopilot QR code](./images/hololens-ap-qrcode.png) + +In this request, provide the following information: + +- Tenant domain +- Tenant ID +- Number of HoloLens 2 devices that are participating in this evaluation +- Number of HoloLens 2 devices that you plan to deploy by using Autopilot self-deploying mode + +### 3. Verify that your tenant is flighted + +To verify that your tenant is flighted for the Autopilot program after you submit your request, follow these steps: + +1. Sign in to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +1. Select **Devices** > **Windows** > **Windows enrollment** > **Windows Autopilot deployment profiles** > **Create profile**. + + ![Create profile dropdown includes a HoloLens item.](./images/hololens-ap-enrollment-profiles.png) + You should see a list that includes **HoloLens**. If this option is not present, use one of the [Feedback](#feedback) options to contact us. + +### 4. Register devices in Windows Autopilot + +To register a HoloLens device in the Windows Autopilot program, you have to obtain the hardware hash of the device (also known as the hardware ID). The device can record its hardware hash in a CSV file during the OOBE process, or later when a device owner starts the diagnostic log collection process (described in the following procedure). Typically, the device owner is the first user to sign in to the device. + +**Retrieve a device hardware hash** + +1. Start the HoloLens 2 device. +1. On the device, press the Power and Volume Down buttons at the same time and then release them. The device collects diagnostic logs and the hardware hash, and stores them in a set of .zip files. +1. Use a USB-C cable to connect the device to a computer. +1. On the computer, open File Explorer. Open **This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents**, and locate the AutopilotDiagnostics.zip file. + + > [!NOTE] + > The .zip file may not immediately be available. If the file is not ready yet you may see a HoloLensDiagnostics.temp file in the Documents folder. To update the list of files, refresh the window. + +1. Extract the contents of the AutopilotDiagnostics.zip file. +1. In the extracted files, locate the CSV file that has a file name prefix of "DeviceHash." Copy that file to a drive on the computer where you can access it later. + > [!IMPORTANT] + > The data in the CSV file should use the following header and line format: + > ``` + > Device Serial Number,Windows Product ID,Hardware Hash,Group Tag,Assigned User ,,,, + >``` + +**Register the device in Windows Autopilot** + +1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment**, and then select **Devices** > **Import** under **Windows Autopilot Deployment Program**. + +1. Under **Add Windows Autopilot devices**, select the DeviceHash CSV file, select **Open**, and then select **Import**. + + ![Use the Import command to import the hardware hash.](./images/hololens-ap-hash-import.png) +1. After the import finishes, select **Devices** > **Windows** > **Windows enrollment** > **Devices** > **Sync**. The process might take a few minutes to complete, depending on how many devices are being synchronized. To see the registered device, select **Refresh**. + + ![Use the Sync and Refresh commands to view the device list.](./images/hololens-ap-devices-sync.png) + +### 5. Create a device group + +1. In Microsoft Endpoint Manager admin center, select **Groups** > **New group**. +1. For **Group type**, select **Security**, and then enter a group name and description. +1. For **Membership type**, select either **Assigned** or **Dynamic Device**. +1. Do one of the following: + + - If you selected **Assigned** for **Membership type** in the previous step, select **Members**, and then add Autopilot devices to the group. Autopilot devices that aren't yet enrolled are listed by using the device serial number as the device name. + - If you selected **Dynamic Devices** for **Membership type** in the previous step, select **Dynamic device members**, and then enter code in **Advanced rule** that resembles the following: + - If you want to create a group that includes all of your Autopilot devices, type: `(device.devicePhysicalIDs -any _ -contains "[ZTDId]")` + - Intune's group tag field maps to the **OrderID** attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices that have a specific group tag (the Azure AD device OrderID), you must type: `(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")` + - If you want to create a group that includes all your Autopilot devices that have a specific Purchase Order ID, type: `(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")` + + > [!NOTE] + > These rules target attributes that are unique to Autopilot devices. +1. Select **Save**, and then select **Create**. + +### 6. Create a deployment profile + +1. In Microsoft Endpoint Manager admin center, select **Devices** > **Windows** > **Windows enrollment** > **Windows Autopilot deployment profiles** > **Create profile** > **HoloLens**. +1. Enter a profile name and description, and then select **Next**. + + ![Add a profile name and description](./images/hololens-ap-profile-name.png) +1. On the **Out-of-box experience (OOBE)** page, most of the settings are pre-configured to streamline OOBE for this evaluation. Optionally, you can configure the following settings: + + - **Language (Region)**: Select the language for OOBE. We recommend that you select a language from the list of [supported languages for HoloLens 2](hololens2-language-support.md). + - **Automatically configure keyboard**: To make sure that the keyboard matches the selected language, select **Yes**. + - **Apply device name template**: To automatically set the device name during OOBE, select **Yes** and then enter the template phrase and placeholders in **Enter a name** For example, enter a prefix and `%RAND:4%`—a placeholder for a four-digit random number. + > [!NOTE] + > If you use a device name template, the OOBE process restarts the device one additional time after it applies the device name and before it joins the device to Azure AD. This restart enables the new name to take effect. + + ![Configure OOBE settings](./images/hololens-ap-profile-oobe.png) +1. After you configure the settings, select **Next**. +1. On the **Scope tags** page, optionally add the scope tags that you want to apply to this profile. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags.md). When finished, select **Next**. +1. On the **Assignments** page, select **Selected groups** for **Assign to**. +1. Under **SELECTED GROUPS**, select **+ Select groups to include**. +1. In the **Select groups to include** list, select the device group that you created for the Autopilot HoloLens devices, and then select **Next**. + + If you want to exclude any groups, select **Select groups to exclude**, and select the groups that you want to exclude. + + ![Assigning a device group to the profile.](./images/hololens-ap-profile-assign-devicegroup.png) +1. On the **Review + Create** page, review the settings and then select **Create** to create the profile. + + ![Review + create](./images/hololens-ap-profile-summ.png) + +### 7. Verify the ESP configuration + +The Enrollment Status Page (ESP) displays the status of the complete device configuration process that runs when an MDM managed user signs into a device for the first time. Make sure that your ESP configuration resembles the following, and verify that the assignments are correct. + +![ESP configuration](./images/hololens-ap-profile-settings.png) + +### 8. Verify the profile status of the HoloLens devices + +1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment** > **Devices**. +1. Verify that the HoloLens devices are listed, and that their profile status is **Assigned**. + > [!NOTE] + > It may take a few minutes for the profile to be assigned to the device. + + ![Device and profile assignments.](./images/hololens-ap-devices-assignments.png) + +## Windows Autopilot for HoloLens 2 User Experience + +Your HoloLens users can follow these steps to provision HoloLens devices. + +1. Use the USB-C cable to connect the HoloLens device to a computer that has Advanced Recovery Companion (ARC) installed and has the appropriate Windows update downloaded. +1. Use ARC to flash the appropriate version of Windows on to the device. +1. Connect the device to the network, and then restart the device. + > [!IMPORTANT] + > You must connect the device to the network before the Out-of-the-Box-Experience (OOBE) starts. The device determines whether it is provisioning as an Autopilot device while on the first OOBE screen. If the device cannot connect to the network, or if you choose not to provision the device as an Autopilot device, you cannot change to Autopilot provisioning at a later time. Instead, you would have to start this procedure over in order to provision the device as an Autopilot device. + + The device should automatically start OOBE. Do not interact with OOBE. Instead sit, back and relax! Let HoloLens 2 detect network connectivity and allow it complete OOBE automatically. The device may restart during OOBE. The OOBE screens should resemble the following. + + ![OOBE step 1](./images/hololens-ap-uex-1.png) + ![OOBE step 2](./images/hololens-ap-uex-2.png) + ![OOBE step 3](./images/hololens-ap-uex-3.png) + ![OOBE step 4](./images/hololens-ap-uex-4.png) + +At the end of OOBE, you can sign in to the device by using your user name and password. + + ![OOBE step 5](./images/hololens-ap-uex-5.png) + +## Known Issues + +- You cannot install applications that use the device security context. + +## Feedback + +To provide feedback or report issues, use one of the following methods: + +- Use the Feedback Hub app. You can find this app on a HoloLens-connected computer. In Feedback Hub, select the **Enterprise Management** > **Device** category. + + When you provide feedback or report an issue, provide a detailed description. If applicable, include screenshots and logs. +- Send an email message to [hlappreview@microsoft.com](mailto:hlappreview@microsoft.com). For the email subject, enter **\<*Tenant*> Autopilot for HoloLens 2 evaluation feedback** (where \<*Tenant*> is the name of your Intune tenant). + + Provide a detailed description in your message. However, unless Support personnel specifically request it, do not include data such as screenshots or logs. Such data might include private or personally identifiable information (PII). diff --git a/devices/hololens/hololens2-hardware.md b/devices/hololens/hololens2-hardware.md index ca62dbf852..048dd790da 100644 --- a/devices/hololens/hololens2-hardware.md +++ b/devices/hololens/hololens2-hardware.md @@ -123,7 +123,6 @@ In order to maintain/advance Internal Battery Charge Percentage while the device - Windows Holographic Operating System - Microsoft Edge - Dynamics 365 Remote Assist -- Dynamics 365 Layout - Dynamics 365 Guides - 3D Viewer - OneDrive for Business @@ -134,27 +133,11 @@ In order to maintain/advance Internal Battery Charge Percentage while the device ### Safety -HoloLens 2 has been tested and conforms to the basic impact protection requirements of ANSI Z87.1, CSA Z94.3 and EN 166. +[Product Safety](https://support.microsoft.com/en-us/help/4023454/safety-information) +Eye safety: HoloLens 2 has been tested and conforms to the basic impact protection requirements of ANSI Z87.1, CSA Z94.3 and EN 166. -## Care and cleaning - -Handle your HoloLens carefully. Use the headband to lift and carry the HoloLens 2. - -As you would for eyeglasses or protective eye-wear, try to keep the HoloLens visor free of dust and fingerprints. When possible, avoid touching the visor. Repeated cleaning could damage the visor, so keep your device clean! - -Don't use any cleaners or solvents on your HoloLens, and don't submerge it in water or apply water directly to it. - -To clean the visor, remove any dust by using a camel or goat hair lens brush or a bulb-style lens blower. Lightly moisten the microfiber cloth with a small amount of distilled water, then use it to wipe the visor gently in a circular motion. - -Clean the rest of the device, including the headband and device arms, with a lint-free microfiber cloth moistened with mild soap and water. Let your HoloLens dry completely before reuse. - -![Image that shows how to clean the visor](images/hololens-cleaning-visor.png) - -### Replace the brow pad - -The brow pad is magnetically attached to the device. To detach it, pull gently away. To replace it, snap it back into place. - -![Remove or replace the brow pad](images/hololens2-remove-browpad.png) +### Regulatory Information +[HoloLens Regulatory](https://support.microsoft.com/en-us/help/13761/hololens-regulatory-information) ## Next step diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md index 955eec82e6..e97e9dd065 100644 --- a/devices/hololens/hololens2-language-support.md +++ b/devices/hololens/hololens2-language-support.md @@ -62,7 +62,7 @@ The setup process configures your HoloLens for a specific region and language. Y If the supported language that you're looking for is not in the menu, follow these steps: 1. Under **Preferred languages**, select **Add a language**. -2. Locater and add the language. +2. Locate and add the language. 3. Select the **Windows display language** menu again, and then select the language that you added in the previous step. ### To change the keyboard layout diff --git a/devices/hololens/hololens2-maintenance.md b/devices/hololens/hololens2-maintenance.md index 1faaca4425..88617eea68 100644 --- a/devices/hololens/hololens2-maintenance.md +++ b/devices/hololens/hololens2-maintenance.md @@ -1,9 +1,9 @@ --- -title: HoloLens 2 device care and cleaning FAQ +title: HoloLens 2 cleaning FAQ description: author: Teresa-Motiv ms.author: v-tea -ms.date: 3/26/2020 +ms.date: 4/14/2020 ms.prod: hololens ms.topic: article ms.custom: @@ -17,7 +17,7 @@ appliesto: - HoloLens 2 --- -# Frequently asked questions about cleaning HoloLens 2 devices +# HoloLens 2 cleaning FAQ > [!IMPORTANT] > Microsoft cannot make a determination of the effectiveness of any given disinfectant product in fighting pathogens such as COVID-19. Please refer to your local public health authority's guidance about how to stay safe from potential infection. @@ -69,10 +69,10 @@ To clean the brow pad, wipe it by using a cloth that's moistened by using water ## Can I use ultraviolet (UV) light to sanitize the device? -UV germicidal irradiation has not been tested on HoloLens 2. +UV-C germicidal irradiation has not been tested on HoloLens 2. > [!CAUTION] -> High levels of UV exposure can degrade the display quality of the device and damage the visor coating. Over-exposure to UV radiation has the following effects, in order of the duration and intensity of exposure: +> High levels of UV-A and UV-B exposure can degrade the display quality of the device and damage the visor coating. Over-exposure to UV-A and UV-B radiation has the following effects, in order of the duration and intensity of exposure: > > 1. The brow pad and device closures become discolored. > 1. Defects appear in the anti-reflective (AR) coating on the visor and on the sensor windows. diff --git a/devices/hololens/images/DarkMode.jpg b/devices/hololens/images/DarkMode.jpg new file mode 100644 index 0000000000..f2cd7c4510 Binary files /dev/null and b/devices/hololens/images/DarkMode.jpg differ diff --git a/devices/hololens/images/MicrosoftHoloLensRecovery.png b/devices/hololens/images/MicrosoftHoloLensRecovery.png new file mode 100644 index 0000000000..b162b881d8 Binary files /dev/null and b/devices/hololens/images/MicrosoftHoloLensRecovery.png differ diff --git a/devices/hololens/images/hololens-ap-devices-assignments.png b/devices/hololens/images/hololens-ap-devices-assignments.png new file mode 100644 index 0000000000..f99eaa367d Binary files /dev/null and b/devices/hololens/images/hololens-ap-devices-assignments.png differ diff --git a/devices/hololens/images/hololens-ap-devices-sync.png b/devices/hololens/images/hololens-ap-devices-sync.png new file mode 100644 index 0000000000..fe970f7983 Binary files /dev/null and b/devices/hololens/images/hololens-ap-devices-sync.png differ diff --git a/devices/hololens/images/hololens-ap-enrollment-profiles.png b/devices/hololens/images/hololens-ap-enrollment-profiles.png new file mode 100644 index 0000000000..1e3e8dfaa4 Binary files /dev/null and b/devices/hololens/images/hololens-ap-enrollment-profiles.png differ diff --git a/devices/hololens/images/hololens-ap-hash-import.png b/devices/hololens/images/hololens-ap-hash-import.png new file mode 100644 index 0000000000..078e73d78c Binary files /dev/null and b/devices/hololens/images/hololens-ap-hash-import.png differ diff --git a/devices/hololens/images/hololens-ap-intro.png b/devices/hololens/images/hololens-ap-intro.png new file mode 100644 index 0000000000..8095114167 Binary files /dev/null and b/devices/hololens/images/hololens-ap-intro.png differ diff --git a/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png b/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png new file mode 100644 index 0000000000..9e6dc92a3c Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png differ diff --git a/devices/hololens/images/hololens-ap-profile-name.png b/devices/hololens/images/hololens-ap-profile-name.png new file mode 100644 index 0000000000..a427b437b8 Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-name.png differ diff --git a/devices/hololens/images/hololens-ap-profile-oobe.png b/devices/hololens/images/hololens-ap-profile-oobe.png new file mode 100644 index 0000000000..e14226d7ad Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-oobe.png differ diff --git a/devices/hololens/images/hololens-ap-profile-settings-oma.png b/devices/hololens/images/hololens-ap-profile-settings-oma.png new file mode 100644 index 0000000000..7528f55292 Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-settings-oma.png differ diff --git a/devices/hololens/images/hololens-ap-profile-settings.png b/devices/hololens/images/hololens-ap-profile-settings.png new file mode 100644 index 0000000000..5753814e1b Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-settings.png differ diff --git a/devices/hololens/images/hololens-ap-profile-summ.png b/devices/hololens/images/hololens-ap-profile-summ.png new file mode 100644 index 0000000000..4fb955bbdf Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-summ.png differ diff --git a/devices/hololens/images/hololens-ap-qrcode.png b/devices/hololens/images/hololens-ap-qrcode.png new file mode 100644 index 0000000000..c5296e3e91 Binary files /dev/null and b/devices/hololens/images/hololens-ap-qrcode.png differ diff --git a/devices/hololens/images/hololens-ap-uex-1.png b/devices/hololens/images/hololens-ap-uex-1.png new file mode 100644 index 0000000000..f89faa366a Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-1.png differ diff --git a/devices/hololens/images/hololens-ap-uex-2.png b/devices/hololens/images/hololens-ap-uex-2.png new file mode 100644 index 0000000000..5bf1beb3f0 Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-2.png differ diff --git a/devices/hololens/images/hololens-ap-uex-3.png b/devices/hololens/images/hololens-ap-uex-3.png new file mode 100644 index 0000000000..59a7362269 Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-3.png differ diff --git a/devices/hololens/images/hololens-ap-uex-4.png b/devices/hololens/images/hololens-ap-uex-4.png new file mode 100644 index 0000000000..f17557b5c4 Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-4.png differ diff --git a/devices/hololens/images/hololens-ap-uex-5.png b/devices/hololens/images/hololens-ap-uex-5.png new file mode 100644 index 0000000000..0bd23da48e Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-5.png differ diff --git a/devices/hololens/images/hololens-darkmode-tiled-picture.jpg b/devices/hololens/images/hololens-darkmode-tiled-picture.jpg new file mode 100644 index 0000000000..bfa3ee78af Binary files /dev/null and b/devices/hololens/images/hololens-darkmode-tiled-picture.jpg differ diff --git a/devices/hololens/images/hololens-feedback-1.png b/devices/hololens/images/hololens-feedback-1.png new file mode 100644 index 0000000000..6433befe3c Binary files /dev/null and b/devices/hololens/images/hololens-feedback-1.png differ diff --git a/devices/hololens/images/hololens-start-feedback.png b/devices/hololens/images/hololens-start-feedback.png new file mode 100644 index 0000000000..0b4639843d Binary files /dev/null and b/devices/hololens/images/hololens-start-feedback.png differ diff --git a/devices/hololens/images/hololens2-feedbackhub-tile.png b/devices/hololens/images/hololens2-feedbackhub-tile.png new file mode 100644 index 0000000000..692baddd55 Binary files /dev/null and b/devices/hololens/images/hololens2-feedbackhub-tile.png differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 47862d7138..91a487f9a0 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -53,7 +53,7 @@ appliesto: | [HoloLens user management](hololens-multiple-users.md) | Multiple users can share a HoloLens device by using their Azure Active Directory accounts. | | [HoloLens application access management](hololens-kiosk.md) | Manage application access for different user groups. | | [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | -| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection) | Create a new support request for the business support team. | +| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f) | Create a new support request for the business support team. | | [More support options](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in the enterprise. | ## Related resources diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md deleted file mode 100644 index ee0915b54b..0000000000 --- a/devices/hololens/scep-whitepaper.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: SCEP Whitepaper -description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP. -ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b -author: pawinfie -ms.author: pawinfie -ms.date: 02/12/2020 -keywords: hololens, Windows Mixed Reality, security -ms.prod: hololens -ms.sitesec: library -ms.topic: article -audience: ITPro -ms.localizationpriority: high -ms.custom: -- CI 111456 -- CSSTroubleshooting -appliesto: -- HoloLens 1 (1st gen) -- HoloLens 2 ---- - -# SCEP whitepaper - -## High Level - -### How the SCEP Challenge PW is secured - -We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we've configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. - -We then pass that to the device and then the device generates it's CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. - -## Behind the scenes - -### Intune Connector has a number of responsibilities - -1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server. - -1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS. - -1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.** - >[!NOTE] - >The connector communication with Intune is strictly outbound traffic. - -1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge. The challenge is generated in Intune itself. - - 1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period. - >[!NOTE] - >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key. The device cannot decrypt the challenge - - 1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob. - - 1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device. - >[!NOTE] - >The above process takes place on the NDES server running the Policy Module. No interaction with the Intune cloud service takes place. - - 1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device. This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune. - - 1. The mobile device must be enrolled in Intune. If not, we reject the request as well - - 1. The Intune connector disables the standard NDES challenge password request URL on the NDES server. - - 1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5. - >[!NOTE] - >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy. - - 1. The mobile device talks only to the NDES URI - - 1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet. - - 1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service. - >[!NOTE] - > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out. - -1. Connector traffic with Intune cloud service consists of the following operations: - - 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup. - - 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors' SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won't be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. - -1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 67516c9773..867063cc0c 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -32,6 +32,7 @@ ### [Create provisioning packages for Surface Hub 2S](surface-hub-2s-deploy.md) ### [Deploy apps to Surface Hub 2S using Intune](surface-hub-2s-deploy-apps-intune.md) ### [Create Surface Hub 2S on-premises accounts with PowerShell](surface-hub-2s-onprem-powershell.md) +### [Surface Hub Teams app](hub-teams-app.md) ## Manage ### [Manage Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md) diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md index 031501c2b4..8237e61a08 100644 --- a/devices/surface-hub/accessibility-surface-hub.md +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -3,7 +3,7 @@ title: Accessibility (Surface Hub) description: Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10. ms.assetid: 1D44723B-1162-4DF6-99A2-8A3F24443442 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Accessibility settings, Settings app, Ease of Access ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md index 8125113887..81c03b484c 100644 --- a/devices/surface-hub/admin-group-management-for-surface-hub.md +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -3,7 +3,7 @@ title: Admin group management (Surface Hub) description: Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. ms.assetid: FA67209E-B355-4333-B903-482C4A3BDCCE ms.reviewer: -manager: dansimp +manager: laurawi keywords: admin group management, Settings app, configure Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 7b44ff3d38..f74f2297fa 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -3,7 +3,7 @@ title: PowerShell for Surface Hub (Surface Hub) description: PowerShell scripts to help set up and manage your Microsoft Surface Hub. ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784 ms.reviewer: -manager: dansimp +manager: laurawi keywords: PowerShell, set up Surface Hub, manage Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md index 7ea2bc584c..66dd43f75c 100644 --- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Applying ActiveSync policies to device accounts (Surface Hub) description: The Microsoft Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting. ms.assetid: FAABBA74-3088-4275-B58E-EC1070F4D110 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Surface Hub, ActiveSync policies ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 2d55222b1b..77ce204725 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -1,7 +1,7 @@ --- title: Change history for Surface Hub ms.reviewer: -manager: dansimp +manager: laurawi description: This topic lists new and updated topics for Surface Hub. keywords: change history ms.prod: surface-hub diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md index 142af6e80e..d20e57a184 100644 --- a/devices/surface-hub/change-surface-hub-device-account.md +++ b/devices/surface-hub/change-surface-hub-device-account.md @@ -3,7 +3,7 @@ title: Change the Microsoft Surface Hub device account description: You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned. ms.assetid: AFC43043-3319-44BC-9310-29B1F375E672 ms.reviewer: -manager: dansimp +manager: laurawi keywords: change device account, change properties, Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index 5fd13d7b95..d5f39c55db 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -3,7 +3,7 @@ title: Connect other devices and display with Surface Hub description: You can connect other device to your Surface Hub to display content. ms.assetid: 8BB80FA3-D364-4A90-B72B-65F0F0FC1F0D ms.reviewer: -manager: dansimp +manager: laurawi ms.prod: surface-hub ms.sitesec: library author: dansimp diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index ff76987746..29f9557045 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -3,7 +3,7 @@ title: Create a device account using UI (Surface Hub) description: If you prefer to use a graphical user interface, you can create a device account for your Microsoft Surface Hub with either the Office 365 UI or the Exchange Admin Center. ms.assetid: D11BCDC4-DABA-4B9A-9ECB-58E02CC8218C ms.reviewer: -manager: dansimp +manager: laurawi keywords: create device account, Office 365 UI, Exchange Admin center, Microsoft 365 admin center, Skype for Business, mobile device mailbox policy ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md index dc72c7463a..8985f70c9d 100644 --- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -3,7 +3,7 @@ title: Create and test a device account (Surface Hub) description: This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype. ms.assetid: C8605B5F-2178-4C3A-B4E0-CE32C70ECF67 ms.reviewer: rikot -manager: dansimp +manager: laurawi keywords: create and test device account, device account, Surface Hub and Microsoft Exchange, Surface Hub and Skype ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index d8d0269900..8eb3486d7d 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -3,7 +3,7 @@ title: Reset or recover a Surface Hub description: Describes the reset and recovery processes for the Surface Hub, and provides instructions. ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF ms.reviewer: -manager: dansimp +manager: laurawi keywords: reset Surface Hub, recover ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index 73a50f66c9..9309e9b2a3 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 06/20/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/enable-8021x-wired-authentication.md b/devices/surface-hub/enable-8021x-wired-authentication.md index bf91e2e42c..8ac2baccb6 100644 --- a/devices/surface-hub/enable-8021x-wired-authentication.md +++ b/devices/surface-hub/enable-8021x-wired-authentication.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 11/15/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md index b6fca3a49e..9a100d4a60 100644 --- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Microsoft Exchange properties (Surface Hub) description: Some Microsoft Exchange properties of the device account must be set to particular values to have the best meeting experience on Microsoft Surface Hub. ms.assetid: 3E84393B-C425-45BF-95A6-D6502BA1BF29 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Microsoft Exchange properties, device account, Surface Hub, Windows PowerShell cmdlet ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md index 8776870779..3e02c9bb0a 100644 --- a/devices/surface-hub/finishing-your-surface-hub-meeting.md +++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 3d38a356f5..8a3bfc6e91 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -3,7 +3,7 @@ title: First-run program (Surface Hub) description: The term \ 0034;first run \ 0034; refers to the series of steps you'll go through the first time you power up your Microsoft Surface Hub, and means the same thing as \ 0034;out-of-box experience \ 0034; (OOBE). This section will walk you through the process. ms.assetid: 07C9E84C-1245-4511-B3B3-75939AD57C49 ms.reviewer: -manager: dansimp +manager: laurawi keywords: first run, Surface Hub, out-of-box experience, OOBE ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/hub-teams-app.md b/devices/surface-hub/hub-teams-app.md new file mode 100644 index 0000000000..a2e25a8458 --- /dev/null +++ b/devices/surface-hub/hub-teams-app.md @@ -0,0 +1,23 @@ +--- +title: Microsoft Teams app for Surface Hub +description: Provides a version history of updates for the Microsoft Teams app for Surface Hub +keywords: surface, hub, +ms.prod: surface-hub +ms.sitesec: library +author: greglin +ms.author: greglin +ms.topic: article +ms.localizationpriority: medium +--- + +# Microsoft Teams app for Surface Hub + +The Microsoft Teams app for Surface Hub is periodically updated and available via the [Microsoft Store](https://www.microsoft.com/store/apps/windows). If you manage Surface Hub with Automatic Updates enabled (default setting), the app will update automatically. + + +## Version history +| Store app version | Updates | Published to Microsoft Store | +| --------------------- | --------------------------------------------------------------------------------------------------- | -------------------------------- | +| 0.2020.13201.0 | - 3x3 Gallery view on Surface Hub
- Ability to search for External users | June 10, 2020
**** | +| 0.2020.13201 | - Quality improvements and Bug fixes | June 1, 2020
**** | +| 0.2020.4301.0 | - Accept incoming PSTN calls on Surface Hub
- Added controls for Attendee/Presenter role changes | May 21, 2020 | diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index ea543e69f2..329f00f931 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Hybrid deployment (Surface Hub) description: A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub. ms.assetid: 7BFBB7BE-F587-422E-9CE4-C9DDF829E4F1 ms.reviewer: -manager: dansimp +manager: laurawi keywords: hybrid deployment, device account for Surface Hub, Exchange hosted on-prem, Exchange hosted online ms.prod: surface-hub ms.sitesec: library @@ -144,7 +144,7 @@ Next, you enable the device account with [Skype for Business Online](#skype-for- To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need. -| Skype room system scenario | If you have Office 365 Premium, Office 365 ProPlus, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have Skype for Business Server 2015 (on-premises or hybrid), you need: | +| Skype room system scenario | If you have Office 365 Premium, Microsoft 365 Apps for enterprise, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have Skype for Business Server 2015 (on-premises or hybrid), you need: | | --- | --- | --- | --- | | Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL | | Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL | diff --git a/devices/surface-hub/images/sccm-additional.png b/devices/surface-hub/images/configmgr-additional.png similarity index 100% rename from devices/surface-hub/images/sccm-additional.png rename to devices/surface-hub/images/configmgr-additional.png diff --git a/devices/surface-hub/images/sccm-create.png b/devices/surface-hub/images/configmgr-create.png similarity index 100% rename from devices/surface-hub/images/sccm-create.png rename to devices/surface-hub/images/configmgr-create.png diff --git a/devices/surface-hub/images/sccm-oma-uri.png b/devices/surface-hub/images/configmgr-oma-uri.png similarity index 100% rename from devices/surface-hub/images/sccm-oma-uri.png rename to devices/surface-hub/images/configmgr-oma-uri.png diff --git a/devices/surface-hub/images/sccm-platform.png b/devices/surface-hub/images/configmgr-platform.png similarity index 100% rename from devices/surface-hub/images/sccm-platform.png rename to devices/surface-hub/images/configmgr-platform.png diff --git a/devices/surface-hub/images/sccm-team.png b/devices/surface-hub/images/configmgr-team.png similarity index 100% rename from devices/surface-hub/images/sccm-team.png rename to devices/surface-hub/images/configmgr-team.png diff --git a/devices/surface-hub/index.yml b/devices/surface-hub/index.yml index 668c4b4a04..249deba5a0 100644 --- a/devices/surface-hub/index.yml +++ b/devices/surface-hub/index.yml @@ -25,17 +25,17 @@ highlightedContent: # itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new items: # Card - - title: What is Surface Hub 2S? - itemType: overview - url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Behind-the-design-Surface-Hub-2S/ba-p/464099 + - title: What's new in Surface Hub 2S? + itemType: whats-new + url: surface-hub-2s-whats-new.md # Card - title: Surface Hub security overview itemType: learn url: surface-hub-security.md - # Card - - title: What's new in Surface Hub 2S? - itemType: whats-new - url: surface-hub-2s-whats-new.md + # Card + - title: Manage Surface Hub 2S with Intune + itemType: how-to-guide + url: surface-hub-2s-manage-intune.md # Card - title: Operating system essentials itemType: learn diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index 74505ca6ff..9e1c8767f5 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -3,7 +3,7 @@ title: Install apps on your Microsoft Surface Hub description: Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business. ms.assetid: 3885CB45-D496-4424-8533-C9E3D0EDFD94 ms.reviewer: -manager: dansimp +manager: laurawi keywords: install apps, Microsoft Store, Microsoft Store for Business ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md index 4ffa2a3cbe..652f22390c 100644 --- a/devices/surface-hub/local-management-surface-hub-settings.md +++ b/devices/surface-hub/local-management-surface-hub-settings.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/08/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index b3a74fc47d..3762de36a4 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -3,7 +3,7 @@ title: Manage settings with an MDM provider (Surface Hub) description: Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution. ms.assetid: 18EB8464-6E22-479D-B0C3-21C4ADD168FE ms.reviewer: -manager: dansimp +manager: laurawi keywords: mobile device management, MDM, manage policies ms.prod: surface-hub ms.sitesec: library @@ -18,7 +18,7 @@ ms.localizationpriority: medium Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx). -Surface Hub has been validated with Microsoft’s first-party MDM providers: +Surface Hub has been validated with Microsoft's first-party MDM providers: - Microsoft Intune standalone - On-premises MDM with Microsoft Endpoint Configuration Manager @@ -65,25 +65,25 @@ For more information, see [SurfaceHub configuration service provider](https://ms | Maintenance hours | MaintenanceHoursSimple/Hours/StartTime
MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes | | Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes | | Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes | -| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager | Yes | +| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | | Device account, including password rotation | DeviceAccount/*``*
See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes | -| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set default volume | Properties/DefaultVolume | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set screen timeout | Properties/ScreenTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set session timeout | Properties/SessionTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set sleep timeout | Properties/SleepTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set default volume | Properties/DefaultVolume | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set screen timeout | Properties/ScreenTimeout | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set session timeout | Properties/SessionTimeout | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set sleep timeout | Properties/SleepTimeout | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -97,12 +97,12 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |--------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -110,15 +110,15 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -126,13 +126,13 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -140,7 +140,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | | Defender status | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | Yes | Yes | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -150,8 +150,8 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes | -| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -180,7 +180,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -188,7 +188,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -196,12 +196,12 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Generate OMA URIs for settings -You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager. +You need to use a setting's OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager. **To generate the OMA URI for any setting in the CSP documentation** 1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/`
@@ -217,15 +217,13 @@ The data type is also stated in the CSP documentation. The most common data type - bool (Boolean) - ## Example: Manage Surface Hub settings with Microsoft Intune You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**. - -## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager +## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs. > [!NOTE] @@ -238,26 +236,26 @@ Configuration Manager supports managing modern devices that do not require the C 3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item. 4. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**. - ![example of UI](images/sccm-create.png) + ![example of UI](images/configmgr-create.png) 5. On the **Supported Platforms** page, expand **Windows 10** and select **All Windows 10 Team and higher**. Unselect the other Windows platforms, and then click **Next**. - ![select platform](images/sccm-platform.png) + ![select platform](images/configmgr-platform.png) 7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**. 8. On the **Windows 10 Team** page, configure the settings you require. - ![Windows 10 Team](images/sccm-team.png) + ![Windows 10 Team](images/configmgr-team.png) 9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**. - ![additional settings](images/sccm-additional.png) + ![additional settings](images/configmgr-additional.png) 10. On the **Additional Settings** page, click **Add**. 11. In the **Browse Settings** dialog, click **Create Setting**. 12. In the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting. 13. Under **Setting type**, select **OMA URI**. 14. Complete the form to create a new setting, and then click **OK**. - ![OMA URI setting](images/sccm-oma-uri.png) + ![OMA URI setting](images/configmgr-oma-uri.png) 15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**. 16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**. 17. Repeat steps 9 to 15 for each custom setting you want to add to the configuration item. diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md index a5d76ff156..b217ccee4d 100644 --- a/devices/surface-hub/manage-surface-hub-settings.md +++ b/devices/surface-hub/manage-surface-hub-settings.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index 4ad681ff5f..10240a192f 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -3,7 +3,7 @@ title: Manage Microsoft Surface Hub description: How to manage your Surface Hub after finishing the first-run program. ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1 ms.reviewer: -manager: dansimp +manager: laurawi keywords: manage Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 2dc9f71874..9dee3e2a4b 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -3,7 +3,7 @@ title: Manage Windows updates on Surface Hub description: You can manage Windows updates on your Microsoft Surface Hub or Surface Hub 2S by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS). ms.assetid: A737BD50-2D36-4DE5-A604-55053D549045 ms.reviewer: -manager: dansimp +manager: laurawi keywords: manage Windows updates, Surface Hub, Windows Server Update Services, WSUS ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md index 1b09f33999..5ef43af85c 100644 --- a/devices/surface-hub/miracast-over-infrastructure.md +++ b/devices/surface-hub/miracast-over-infrastructure.md @@ -6,13 +6,13 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 06/20/2019 +ms.date: 04/24/2020 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- -# Miracast on existing wireless network or LAN +# Miracast over infrastructure In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). @@ -28,7 +28,12 @@ Miracast over Infrastructure offers a number of benefits: ## How it works -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. +Users attempt to connect to a Miracast receiver through their Wi-Fi adapter as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + +> [!NOTE] +> For more information on the connection negotiation sequence, see [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx) + + ## Enabling Miracast over Infrastructure @@ -36,14 +41,19 @@ Users attempt to connect to a Miracast receiver as they did previously. When the If you have a Surface Hub or other Windows 10 device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: - The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703. +- Open TCP port: **7250**. - A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Surface Hub or device is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. - The DNS Hostname (device name) of the Surface Hub or device needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled within System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests. +- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled in System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests that only occur through the Wi-Fi adapter. It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. The **InBoxApps/WirelessProjection/PinRequired** setting in the [SurfaceHub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) is not required for Miracast over Infrastructure. This is because Miracast over Infrastructure only works when both devices are connected to the same enterprise network. This removes the security restriction that was previously missing from Miracast. We recommend that you continue using this setting (if you used it previously) as Miracast will fall back to regular Miracast if the infrastructure connection does not work. + +## FAQ +**Why do I still need Wi-Fi to use Miracast over infrastructure?**
+Discovery requests to identify Miracast receivers can only occur through the Wi-Fi adapter. Once the receivers have been identified, Windows 10 can then attempt the connection to the network. diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md index eb33f483d6..c4e2ff5b3e 100644 --- a/devices/surface-hub/miracast-troubleshooting.md +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 06/20/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md index 262c565327..9828a8a268 100644 --- a/devices/surface-hub/monitor-surface-hub.md +++ b/devices/surface-hub/monitor-surface-hub.md @@ -3,7 +3,7 @@ title: Monitor your Microsoft Surface Hub description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). ms.assetid: 1D2ED317-DFD9-423D-B525-B16C2B9D6942 ms.reviewer: -manager: dansimp +manager: laurawi keywords: monitor Surface Hub, Microsoft Operations Management Suite, OMS ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 88b0653b00..d35f03b804 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: On-premises deployment single forest (Surface Hub) description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6 ms.reviewer: -manager: dansimp +manager: laurawi keywords: single forest deployment, on prem deployment, device account, Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index f643e4cfe6..170dd03968 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -8,7 +8,7 @@ author: dansimp ms.author: dansimp ms.date: 08/28/2018 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 0cd6fc5219..30f0e34b1f 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Online deployment with Office 365 (Surface Hub) description: This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. ms.assetid: D325CA68-A03F-43DF-8520-EACF7C3EDEC1 ms.reviewer: -manager: dansimp +manager: laurawi keywords: device account for Surface Hub, online deployment ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md index 22e7e1284c..1ef2fcaa46 100644 --- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Password management (Surface Hub) description: Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. ms.assetid: 0FBFB546-05F0-430E-905E-87111046E4B8 ms.reviewer: -manager: dansimp +manager: laurawi keywords: password, password management, password rotation, device account ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md index 6d06a9ac69..aeadcb900a 100644 --- a/devices/surface-hub/physically-install-your-surface-hub-device.md +++ b/devices/surface-hub/physically-install-your-surface-hub-device.md @@ -3,7 +3,7 @@ title: Physically install Microsoft Surface Hub description: The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation. ms.assetid: C764DBFB-429B-4B29-B4E8-D7F0073BC554 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Surface Hub, readiness guide, installation location, mounting options ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 198dba4f74..69ca8e6c3e 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -3,7 +3,7 @@ title: Prepare your environment for Microsoft Surface Hub description: This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub. ms.assetid: 336A206C-5893-413E-A270-61BFF3DF7DA9 ms.reviewer: -manager: dansimp +manager: laurawi keywords: prepare environment, features of Surface Hub, create and test device account, check network availability ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md index 607c66829e..305403b9dc 100644 --- a/devices/surface-hub/provisioning-packages-for-surface-hub.md +++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md @@ -3,7 +3,7 @@ title: Create provisioning packages (Surface Hub) description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages. ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 ms.reviewer: -manager: dansimp +manager: laurawi keywords: add certificate, provisioning package ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md index 7a9acbe0fd..1794a9bcac 100644 --- a/devices/surface-hub/remote-surface-hub-management.md +++ b/devices/surface-hub/remote-surface-hub-management.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md index 6bbfd1532a..12e59349d6 100644 --- a/devices/surface-hub/save-bitlocker-key-surface-hub.md +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -3,7 +3,7 @@ title: Save your BitLocker key (Surface Hub) description: Every Microsoft Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys. ms.assetid: E11E4AB6-B13E-4ACA-BCE1-4EDC9987E4F2 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Surface Hub, BitLocker, Bitlocker recovery keys ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md index 96f42c3df1..08ca875984 100644 --- a/devices/surface-hub/set-up-your-surface-hub.md +++ b/devices/surface-hub/set-up-your-surface-hub.md @@ -3,7 +3,7 @@ title: Set up Microsoft Surface Hub description: Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. ms.assetid: 4D1722BC-704D-4471-BBBE-D0500B006221 ms.reviewer: -manager: dansimp +manager: laurawi keywords: set up instructions, Surface Hub, setup worksheet, first-run program ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md index 6043d88f1d..e7352a5dbe 100644 --- a/devices/surface-hub/setup-worksheet-surface-hub.md +++ b/devices/surface-hub/setup-worksheet-surface-hub.md @@ -3,7 +3,7 @@ title: Setup worksheet (Surface Hub) description: When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section. ms.assetid: AC6F925B-BADE-48F5-8D53-8B6FFF6EE3EB ms.reviewer: -manager: dansimp +manager: laurawi keywords: Setup worksheet, pre-setup, first-time setup ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md index c805fb9005..910f2d0129 100644 --- a/devices/surface-hub/skype-hybrid-voice.md +++ b/devices/surface-hub/skype-hybrid-voice.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/support-solutions-surface-hub.md b/devices/surface-hub/support-solutions-surface-hub.md index b683f85daf..9de0b753f9 100644 --- a/devices/surface-hub/support-solutions-surface-hub.md +++ b/devices/surface-hub/support-solutions-surface-hub.md @@ -3,7 +3,7 @@ title: Top support solutions for Microsoft Surface Hub description: Find top solutions for common issues using Surface Hub. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A ms.reviewer: -manager: dansimp +manager: laurawi keywords: Troubleshoot common problems, setup issues ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md index fb93b0e7d9..27c7053045 100644 --- a/devices/surface-hub/surface-hub-2s-account.md +++ b/devices/surface-hub/surface-hub-2s-account.md @@ -1,6 +1,6 @@ --- -title: "Create Surface Hub 2S device account" -description: "This page describes the procedure for creating the Surface Hub 2S device account." +title: Create Surface Hub 2S device account +description: This page describes the procedure for creating the Surface Hub 2S device account. keywords: separate values with commas ms.prod: surface-hub ms.sitesec: library @@ -15,15 +15,18 @@ ms.localizationpriority: Medium # Create Surface Hub 2S device account -Creating a Surface Hub device account (also known as a Room mailbox) allows Surface Hub 2S to receive, approve, or decline meeting requests and join meetings using Microsoft Teams or Skype for Business. Configure the device account during OOBE setup. If needed you can change it later (without going through OOBE setup). +Creating a Surface Hub device account (also known as a Room mailbox) allows Surface Hub 2S to receive, approve, or decline meeting requests and join meetings using either Microsoft Teams or Skype for Business. Configure the device account during Out-of-Box Experience (OOBE) setup. If needed, you can change it later (without going through OOBE setup). Unlike standard Room mailboxes that remain disabled by default, you need to enable the Surface Hub 2S device account to sign on to Microsoft Teams and Skype for Business. Surface Hub 2S relies on Exchange ActiveSync, which requires an ActiveSync mailbox policy on the device account. Apply the default ActiveSync mailbox policy that comes with Exchange Online. -Create the account using the Microsoft 365 admin center or by using PowerShell. You can use Exchange Online PowerShell to configure specific features including: +Create the account by using the Microsoft 365 admin center or by using PowerShell. You can use Exchange Online PowerShell to configure specific features including: - Calendar processing for every Surface Hub device account. - Custom auto replies to scheduling requests. -- If the default ActiveSync mailbox policy has already been modified by someone else or another process, you will likely have to create and assign a new ActiveSync mailbox policy +- If the default ActiveSync mailbox policy has already been modified by someone else or by another process, you will likely have to create and assign a new ActiveSync mailbox policy. + +> [!NOTE] +> The Surface Hub device account doesn’t support third-party Federated Identity Providers (FIPs) and must be a standard Active Directory or Azure Active Directory account. ## Create account using Microsoft 365 admin center @@ -31,17 +34,17 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. 2. Provide a name and email address for the device account. Leave remaining settings unchanged in the default state. -![Provide a name and email address](images/sh2-account2.png) + ![Provide a name and email address](images/sh2-account2.png) -![Leave remaining settings unchanged in the default state](images/sh2-account3.png) + ![Leave remaining settings unchanged in the default state](images/sh2-account3.png) 3. Set the password for the device account. To set the password, choose **Users** and then select **Active Users**. Now search for the newly created user to set the password. Ensure that you **do not** select the option **Make this user change their password when they first sign in.** -![Set the password for the device account](images/sh2-account4.png) + ![Set the password for the device account](images/sh2-account4.png) 4. Assign the room with an Office 365 license. It’s recommended to assign the Office 365 **Meeting Room** license, a new option that automatically enables the account for Skype for Business Online and Microsoft Teams. -![Assign Office 365 license](images/sh2-account5.png) + ![Assign Office 365 license](images/sh2-account5.png) ### Finalize setup via PowerShell @@ -50,6 +53,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. - **Microsoft Teams and Skype for Business Calendar:** Set [**Calendar Auto processing**](https://docs.microsoft.com/surface-hub/surface-hub-2s-account?source=docs#set-calendar-auto-processing) for this account. ## Create account using PowerShell + Instead of using the Microsoft Admin Center portal, you can create the account using PowerShell. ### Connect to Exchange Online PowerShell @@ -59,13 +63,13 @@ $365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ImportResults = Import-PSSession $365Session ``` -### Create a new Room Mailbox +### Create a new Room mailbox ```powershell New-Mailbox -MicrosoftOnlineServicesID account@YourDomain.com -Alias SurfaceHub2S -Name SurfaceHub2S -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "" -AsPlainText -Force) ``` -### Set Calendar Auto processing +### Set Calendar auto-processing ```powershell Set-CalendarProcessing -Identity "account@YourDomain.com" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is equipped with a Surface Hub" @@ -81,7 +85,7 @@ Set-MsolUserLicense -UserPrincipalName "account@YourDomain.com" -AddLicenses "co ## Connect to Skype for Business Online using PowerShell -### Install prerequisites +### Install pre-requisites - [Visual C++ 2017 Redistributable](https://aka.ms/vs/15/release/vc_redist.x64.exe) - [Skype for Business Online PowerShell Module](https://www.microsoft.com/download/confirmation.aspx?id=39366) diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index 7493e10c3c..44912c169c 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -60,16 +60,6 @@ Using Surface Hub 2S, you can reinstall the device by using a recovery image. By When the first-time setup screen appears,remove the USB drive. -## Recover a locked Surface Hub - -At the end of a session, Surface Hub 2S may occasionally encounter an error during the cleanup of user and app data at the end of a session. If this occurs, the device automatically reboots and resumes the data cleanup. However, if this operation repeatedly fails, the device automatically locks to protect user data. - -**To unlock a Surface Hub 2S:**
-- Reset or recover the device from the Windows Recovery Environment. For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx) - -> [!NOTE] -> To enter recovery mode, unplug the power cord and plug it in again three times. - ## Contact Support If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md index 9ad0606641..80c7dbefd1 100644 --- a/devices/surface-hub/surface-hub-authenticator-app.md +++ b/devices/surface-hub/surface-hub-authenticator-app.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 08/28/2017 ms.reviewer: -manager: dansimp +manager: laurawi localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md index 5e5073588a..79ff342ba9 100644 --- a/devices/surface-hub/surface-hub-downloads.md +++ b/devices/surface-hub/surface-hub-downloads.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 08/22/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-qos.md b/devices/surface-hub/surface-hub-qos.md index 105a188ae1..aa1b746b8d 100644 --- a/devices/surface-hub/surface-hub-qos.md +++ b/devices/surface-hub/surface-hub-qos.md @@ -1,7 +1,7 @@ --- title: Implement Quality of Service on Surface Hub ms.reviewer: -manager: dansimp +manager: laurawi description: Learn how to configure QoS on Surface Hub. ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md index 75feb89fc2..2db5f9706e 100644 --- a/devices/surface-hub/surface-hub-recovery-tool.md +++ b/devices/surface-hub/surface-hub-recovery-tool.md @@ -3,7 +3,7 @@ title: Using the Surface Hub Recovery Tool description: How to use the Surface Hub Recovery Tool to re-image the SSD. ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1 ms.reviewer: -manager: dansimp +manager: laurawi keywords: manage Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-security.md b/devices/surface-hub/surface-hub-security.md index 4dc2b7518e..faee5ad929 100644 --- a/devices/surface-hub/surface-hub-security.md +++ b/devices/surface-hub/surface-hub-security.md @@ -5,7 +5,7 @@ keywords: separate values with commas ms.prod: surface-hub ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin manager: laurawi audience: Admin ms.topic: article diff --git a/devices/surface-hub/surface-hub-ssd-replacement.md b/devices/surface-hub/surface-hub-ssd-replacement.md index 7896a7d634..12f256388d 100644 --- a/devices/surface-hub/surface-hub-ssd-replacement.md +++ b/devices/surface-hub/surface-hub-ssd-replacement.md @@ -1,7 +1,7 @@ --- title: Surface Hub SSD replacement ms.reviewer: -manager: dansimp +manager: laurawi description: Learn how to replace the solid state drive in a Surface Hub. ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-technical-55.md b/devices/surface-hub/surface-hub-technical-55.md index 6abc46e411..209e77df4c 100644 --- a/devices/surface-hub/surface-hub-technical-55.md +++ b/devices/surface-hub/surface-hub-technical-55.md @@ -1,7 +1,7 @@ --- title: Technical information for 55" Surface Hub ms.reviewer: -manager: dansimp +manager: laurawi description: Specifications for the 55" Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-technical-84.md b/devices/surface-hub/surface-hub-technical-84.md index 0ba7d45aa1..837883da14 100644 --- a/devices/surface-hub/surface-hub-technical-84.md +++ b/devices/surface-hub/surface-hub-technical-84.md @@ -1,7 +1,7 @@ --- title: Technical information for 84" Surface Hub ms.reviewer: -manager: dansimp +manager: laurawi description: Specifications for the 84" Surface Hub ms.prod: surface-hub ms.sitesec: library @@ -134,7 +134,7 @@ RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems. --- -***Removable lifting handles on 84” Surface Hub *** +***Removable lifting handles on 84” Surface Hub*** ![](images/sh-84-hand.png) @@ -142,7 +142,7 @@ RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems. --- -***Wall mount threads on back of 84” Surface Hub *** +***Wall mount threads on back of 84” Surface Hub*** ![](images/sh-84-wall.png) diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index f4616cd18b..673c77e71c 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -37,7 +37,7 @@ This update is specific to the Surface Hub 2S and provides the driver and firmwa * Improves system stability. * Surface System driver - 1.7.139.0 * Improves system stability. -* Surface SMC Firmware update - 1.173.139.0 +* Surface SMC Firmware update - 1.176.139.0 * Improves system stability. diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md index 8d94858bfa..fc1ada3230 100644 --- a/devices/surface-hub/surface-hub-wifi-direct.md +++ b/devices/surface-hub/surface-hub-wifi-direct.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 11/27/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md index 0626c4a0d7..4c324d33ce 100644 --- a/devices/surface-hub/surfacehub-whats-new-1703.md +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 01/18/2018 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index cf02da1a6e..4a30281eff 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -3,7 +3,7 @@ title: Troubleshoot Microsoft Surface Hub description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A ms.reviewer: -manager: dansimp +manager: laurawi keywords: Troubleshoot common problems, setup issues, Exchange ActiveSync errors ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md index 33233a023b..cf9f2b6339 100644 --- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md +++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md @@ -7,7 +7,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index cbc437e783..1ec1e19ab5 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -3,7 +3,7 @@ title: Using a room control system (Surface Hub) description: Room control systems can be used with your Microsoft Surface Hub. ms.assetid: DC365002-6B35-45C5-A2B8-3E1EB0CB8B50 ms.reviewer: -manager: dansimp +manager: laurawi keywords: room control system, Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 416610d656..a1e05d92b5 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 03/18/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md index 0a314fe596..96162edafe 100644 --- a/devices/surface-hub/wireless-network-management-for-surface-hub.md +++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md @@ -3,7 +3,7 @@ title: Wireless network management (Surface Hub) description: Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet wireless, and wired. While both provide network access, we recommend you use a wired connection. ms.assetid: D2CFB90B-FBAA-4532-B658-9AA33CAEA31D ms.reviewer: -manager: dansimp +manager: laurawi keywords: network connectivity, wired connection ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 7245176edd..bc2ee2a9fa 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -4,6 +4,9 @@ ## Overview +### [What's new in Surface Dock 2](surface-dock-whats-new.md) +### [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md) +### [Surface Book 3 Quadro RTX 3000 technical overview](surface-book-quadro.md) ### [Surface Pro 7 for Business](https://www.microsoft.com/surface/business/surface-pro-7) ### [Surface Pro X for Business](https://www.microsoft.com/surface/business/surface-pro-x) ### [Surface Laptop 3 for Business](https://www.microsoft.com/surface/business/surface-laptop-3) @@ -26,21 +29,21 @@ ### [Deploy Surface devices](deploy.md) ### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) +### [Windows Virtual Desktop on Surface](windows-virtual-desktop-surface.md) ### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) ### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md) ### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) ### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) -### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) ### [Enable the Surface Laptop keyboard during MDT deployment](enable-surface-keyboard-for-windows-pe-deployment.md) ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) ### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) -### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) ### [Surface System SKU reference](surface-system-sku-reference.md) ## Manage ### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) +### [Manage Surface driver updates in Configuration Manager](manage-surface-driver-updates-configuration-manager.md) ### [Optimize Wi-Fi connectivity for Surface devices](surface-wireless-connect.md) ### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) ### [Surface Dock Firmware Update](surface-dock-firmware-update.md) @@ -48,16 +51,18 @@ ### [Surface Brightness Control](microsoft-surface-brightness-control.md) ### [Surface Asset Tag](assettag.md) - ## Secure + ### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) ### [Manage Surface UEFI settings](manage-surface-uefi-settings.md) ### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) ### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) +### [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md) ### [Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) ### [Surface Data Eraser](microsoft-surface-data-eraser.md) +### [Surface DMA Protection](dma-protect.md) ## Troubleshoot ### [Top support solutions for Surface devices](support-solutions-surface.md) diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index 2ab8b6b45b..4abd9e0c86 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -3,7 +3,7 @@ title: Advanced UEFI security features for Surface Pro 3 (Surface) description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93 ms.reviewer: -manager: dansimp +manager: laurawi keywords: security, features, configure, hardware, device, custom, script, update ms.localizationpriority: medium ms.prod: w10 @@ -11,7 +11,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md index 21d5947ce2..6d9533bb52 100644 --- a/devices/surface/assettag.md +++ b/devices/surface/assettag.md @@ -6,10 +6,10 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan -manager: dansimp +manager: laurawi --- # Surface Asset Tag Tool diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md index 8866b5c37b..0da0c326e7 100644 --- a/devices/surface/battery-limit.md +++ b/devices/surface/battery-limit.md @@ -6,12 +6,13 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.reviewer: -manager: dansimp -ms.author: v-jokai +ms.reviewer: jesko +ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.audience: itpro +manager: laurawi +audience: itpro +ms.date: 5/06/2020 --- # Battery Limit setting @@ -32,6 +33,11 @@ The Surface UEFI Battery Limit setting can be configured by booting into Surface ![Screenshot of Advanced options](images/enable-bl.png) +## Enabling battery limit on Surface Go and Surface Go 2 +The Surface Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **boot configuration**, and then, under **Kiosk Mode**, move the slider to the right to set Battery Limit to **Enabled**. + +![Screenshot of Kiosk Mode Battery Limit in Surface Go](images/go-batterylimit.png) + ## Enabling Battery Limit in Surface UEFI (Surface Pro 3) The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **Kiosk Mode**, select **Battery Limit**, and then choose **Enabled**. diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index c3a2ef2f31..b1aed6e997 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -1,13 +1,13 @@ --- title: Change history for Surface documentation (Windows 10) ms.reviewer: -manager: dansimp +manager: laurawi description: This topic lists new and updated topics in the Surface documentation library. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md index 5aac305c5a..e8ce13b98d 100644 --- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md +++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md @@ -7,12 +7,12 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi --- # Considerations for Surface and Microsoft Endpoint Configuration Manager diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index bd26347d6a..cb492c2620 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -3,7 +3,7 @@ title: Customize the OOBE for Surface deployments (Surface) description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization. ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87 ms.reviewer: -manager: dansimp +manager: laurawi keywords: deploy, customize, automate, network, Pen, pair, boot ms.localizationpriority: medium ms.prod: w10 @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md index 4b24dd9589..fc2956ead6 100644 --- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md +++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md @@ -7,12 +7,12 @@ ms.mktglfcycl: deploy ms.pagetype: surface, store ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi --- # Deploy Surface app with Microsoft Store for Business and Education diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md index e1debff872..bb8e62fb6b 100644 --- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md +++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md @@ -7,12 +7,13 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi +ms.date: 04/24/2020 --- # Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit @@ -27,779 +28,8 @@ manager: dansimp - Surface 3 - Windows 10 -This article walks you through the recommended process to deploy Windows 10 to Surface devices with Microsoft deployment technologies. The process described in this article yields a complete Windows 10 environment including updated firmware and drivers for your Surface device along with applications like Microsoft Office 365 and the Surface app. - > [!NOTE] -> MDT is not currently supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) - -When the process is complete, the Surface device will be ready for use by the end user. You can customize this process to include your own applications and configuration to meet the needs of your organization. You can also follow the guidance provided in this article to integrate deployment to Surface devices into existing deployment strategies. - -By following the procedures in this article, you can create an up-to-date reference image and deploy this image to your Surface devices, a process known as *reimaging*. Reimaging will erase and overwrite the existing environment on your Surface devices. This process allows you to rapidly configure your Surface devices with identical environments that can be configured to precisely fit your organization’s requirements. - -An alternative to the reimaging process is an upgrade process. The upgrade process is non-destructive and instead of erasing the existing environment on your Surface device, it allows you to install Windows 10 while retaining your user data, applications, and settings. You can read about how to manage and automate the upgrade process of Surface devices to Windows 10 at [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md). - -The goal of the deployment process presented in this article is automation. By leveraging the many technologies and tools available from Microsoft, you can create a process that requires only a single touch on the devices being deployed. The automation can load the deployment environment; format the device; prepare an updated Windows image with the drivers required for the device; apply that image to the device; configure the Windows environment with licensing, membership in a domain, and user accounts; install applications; apply any Windows updates that were not included in the reference image; and log out. - -By automating each aspect of the deployment process, you not only greatly decrease the effort involved, but you create a process that can be easily repeated and where human error becomes less of a factor. Take for example a scenario where you create a reference image for the device manually, but you accidentally install conflicting applications and cause the image to become unstable. In this scenario you have no choice but to begin again the manual process of creating your image. If in this same scenario you had automated the reference image creation process, you could repair the conflict by simply editing a step in the task sequence and then re-running the task sequence. - -## Deployment tools - -The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/download/windows.aspx). - -#### Microsoft Deployment Toolkit - -The Microsoft Deployment Toolkit (MDT) is the primary component of a Windows deployment. It serves as a unified interface for most of the Microsoft deployment tools and technologies, such as the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), User State Migration Tool (USMT), and many other tools and technologies. Each of these is discussed throughout this article. The unified interface, called the *Deployment Workbench*, facilitates automation of the deployment process through a series of stored deployment procedures, known as a *task sequence*. Along with these task sequences and the many scripts and tools that MDT provides, the resources for a Windows deployment (driver files, application installation files, and image files) are stored in a network share known as the *deployment share*. - -You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). - -#### Windows Assessment and Deployment Kit - -Although MDT is the tool you will interact with most during the deployment process, the deployment tools found in the Windows ADK perform most of the deployment tasks during the deployment process. The resources for deployment are held within the MDT deployment share, but it is the collection of tools included in Windows ADK that access the image files, stage drivers and Windows updates, run the deployment experience, provide instructions to Windows Setup, and back up and restore user data. - -You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk). - -#### Windows 10 installation media - -Before you can perform a deployment with MDT, you must first supply a set of operating system installation files and an operating system image. These files and image can be found on the physical installation media (DVD) for Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download from the [Volume Licensing Service Center (VLSC)](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - - ->[!NOTE] ->The installation media generated from the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT. - - -#### Windows Server - -Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services’ ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI devices like Surface with WDS, you will need Windows Server 2008 R2 or later. - - ->[!NOTE] ->To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter). - - -#### Windows Deployment Services - -Windows Deployment Services (WDS) is leveraged to facilitate network boot capabilities provided by the Preboot Execution Environment (PXE) server. The boot media generated by MDT is loaded onto the Surface device simply by pressing Enter at the prompt when the device attempts to boot from the attached network adapter or Surface Dock. - -#### Hyper-V virtualization platform - -The process of creating a reference image should always be performed in a virtual environment. When you use a virtual machine as the platform to build your reference image, you eliminate the need for installation of additional drivers. The drivers for a Hyper-V virtual machine are included by default in the factory Windows 10 image. When you avoid the installation of additional drivers – especially complex drivers that include application components like control panel applications – you ensure that the image created by your reference image process will be as universally compatible as possible. - ->[!NOTE] ->A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment. - -Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is not to perform customization but to increase performance during deployment by reducing the number of actions that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the installation of Windows updates. When MDT performs this step during the deployment process, it downloads the updates on each deployed device and installs them. By installing Windows updates in your reference image, the updates are already installed when the image is deployed to the device and the MDT update process only needs to install updates that are new since the image was created or are applicable to products other than Windows (for example, Microsoft Office updates). - - ->[!NOTE] ->Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center. - - -#### Surface firmware and drivers - -For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). - -When you browse to the specific Microsoft Download Center page for your device, you will find a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. Firmware updates maintain the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. For more information, see [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). - ->[!NOTE] ->Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices. - -#### Application installation files - -In addition to the drivers that are used by Windows to communicate with the Surface device’s hardware and components, you will also need to provide the installation files for any applications that you want to install on your deployed Surface devices. To automate the deployment of an application, you will also need to determine the command-line instructions for that application to perform a silent installation. In this article, the Surface app and Microsoft Office 365 will be installed as examples of application installation. The application installation process can be used with any application with installation files that can be launched from command line. - ->[!NOTE] ->If the application files for your application are stored on your organization’s network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article. - -#### Microsoft Surface Deployment Accelerator - -If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center. - -### Install the deployment tools - -Before you can configure the deployment environment with Windows images, drivers, and applications, you must first install the deployment tools that will be used throughout the deployment process. The three main tools to be installed are WDS, Windows ADK, and MDT. WDS provides the capacity for network boot, Windows ADK provides several deployment tools that perform specific deployment tasks, and MDT provides automation and a central interface from which to manage and control the deployment process. - -To boot from the network with either your reference virtual machines or your Surface devices, your deployment environment must include a Windows Server environment. The Windows Server environment is required to install WDS and the WDS PXE server. Without PXE support, you will be required to create physical boot media, such as a USB stick to perform your deployment – MDT and Windows ADK will still be required, but Windows Server is not required. Both MDT and Windows ADK can be installed on a Windows client and perform a Windows deployment. - ->[!NOTE] ->To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**. - -#### Install Windows Deployment Services - -Windows Deployment Services (WDS) is a Windows Server role. To add the WDS role to a Windows Server 2012 R2 environment, use the Add Roles and Features Wizard, as shown in Figure 1. Start the Add Roles and Features Wizard from the **Manage** button of **Server Manager**. Install both the Deployment Server and Transport Server role services. - -![Install the Windows Deployment Services role](images/surface-deploymdt-fig1.png "Install the Windows Deployment Services role") - -*Figure 1. Install the Windows Deployment Services server role* - -After the WDS role is installed, you need to configure WDS. You can begin the configuration process from the WDS node of Server Manager by right-clicking your server’s name and then clicking **Windows Deployment Services Management Console**. In the **Windows Deployment Services** window, expand the **Servers** node to find your server, right-click your server, and then click **Configure** in the menu to start the Windows Deployment Services Configuration Wizard, as shown in Figure 2. - -![Configure PXE response for Windows Deployment Services](images/surface-deploymdt-fig2.png "Configure PXE response for Windows Deployment Services") - -*Figure 2. Configure PXE response for Windows Deployment Services* - ->[!NOTE] ->Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration. - -Using the Windows Deployment Services Configuration Wizard, configure WDS to fit the needs of your organization. You can find detailed instructions for the installation and configuration of WDS at [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426). On the **PXE Server Initial Settings** page, be sure to configure WDS so that it will respond to your Surface devices when they attempt to boot from the network. If you have already installed WDS or need to change your PXE server response settings, you can do so on the **PXE Response** tab of the **Properties** of your server in the Windows Deployment Services Management Console. - ->[!NOTE] ->You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role. - -#### Install Windows Assessment and Deployment Kit - -To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows. - ->[!NOTE] ->You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices. - -When you get to the **Select the features you want to install** page, you only need to select the **Deployment Tools** and **Windows Preinstallation Environment (Windows PE)** check boxes to deploy Windows 10 using MDT, as shown in Figure 3. - -![Required options for deployment with MDT](images/surface-deploymdt-fig3.png "Required options for deployment with MDT") - -*Figure 3. Only Deployment Tools and Windows PE options are required for deployment with MDT* - -#### Install Microsoft Deployment Toolkit - -After the Windows ADK installation completes successfully, you can install MDT. When you download MDT, ensure that you download the version that matches the architecture of your deployment server environment. For Windows Server the architecture is 64-bit. Download the MDT installation file that ends in **x64**. When MDT is installed you can use the default options during the installation wizard, as shown in Figure 4. - -![MDT installation with default options](images/surface-deploymdt-fig4.png "MDT installation with default options") - -*Figure 4. Install the Microsoft Deployment Toolkit with default options* - -Before you can open the MDT Deployment Workbench, you must enable execution of scripts in PowerShell. If you do not do this, the following error message may be displayed: *"Initialization Error PowerShell is required to use the Deployment Workbench. Please install PowerShell then relaunch Deployment Workbench."* - -To enable the execution of scripts, run the following cmdlet in PowerShell as an Administrator: - - `Set-ExecutionPolicy RemoteSigned -Scope CurrentUser` - -## Create a reference image - -Now that you have installed the required tools, you can begin the first step of customizing your deployment environment to your needs – create a reference image. Because the reference image should be created in a virtual machine where there is no need for drivers to be installed, and because the reference image will not include applications, you can use the MDT deployment environment almost entirely with default settings. - -### Create a deployment share - -Now that you have the tools installed, the next step is to configure MDT for the creation of a reference image. Before you can perform the process of creating a reference image, MDT needs to be set up with a repository for scripts, images, and other deployment resources. This repository is known as the *deployment share*. After the deployment share is created, you must supply MDT with a complete set of Windows 10 installation files, the last set of tools required before MDT can perform reference image creation. - -To create the deployment share, follow these steps: - -1. Open the Deployment Workbench from your Start menu or Start screen, as shown in Figure 5. - - ![The MDT Deployment Workbench](images/surface-deploymdt-fig5.png "The MDT Deployment Workbench") - - *Figure 5. The MDT Deployment Workbench* - -2. Right-click the **Deployment Shares** folder, and then click **New Deployment Share** to start the New Deployment Share Wizard, as shown in Figure 6. - - ![Summary page of the New Deployment Share Wizard](images/surface-deploymdt-fig6.png "Summary page of the New Deployment Share Wizard") - - *Figure 6. The Summary page of the New Deployment Share Wizard* - -3. Create a new deployment share with New Deployment Share Wizard with the following steps: - - * **Path** – Specify a local folder where the deployment share will reside, and then click **Next**. - - >[!NOTE] - >Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume. - - * **Share** – Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**. - - >[!NOTE] - >The share name cannot contain spaces. - - >[!NOTE] - >You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer. - - * **Descriptive Name** – Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench. - * **Options** – You can accept the default options on this page. Click **Next**. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the deployment share. - * **Progress** – While the deployment share is being created, a progress bar is displayed on this page to indicate the status of the deployment share creation process. - * **Confirmation** – When the deployment share creation process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Deployment Share Wizard. - -4. When the New Deployment Share Wizard is complete, you can expand the Deployment Shares folder to find your newly created deployment share. -5. You can expand your deployment share, where you will find several folders for the resources, scripts, and components of your MDT deployment environment are stored. - -To secure the deployment share and prevent unauthorized access to the deployment resources, you can create a local user on the deployment share host and configure permissions for that user to have read-only access to the deployment share only. It is especially important to secure access to the deployment share if you intend to automate the logon to the deployment share during the deployment boot process. By automating the logon to the deployment share during the boot of deployment media, the credentials for that logon are stored in plaintext in the bootstrap.ini file on the boot media. - ->[!NOTE] ->If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share. - -You now have an empty deployment share that is ready for you to add the resources that will be required for reference image creation and deployment to Surface devices. - -### Import Windows installation files - -The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC). - ->[!NOTE] ->A 64-bit operating system is required for compatibility with Surface devices except Surface Pro X which cannot be managed with MDT. - -To import Windows 10 installation files, follow these steps: - -1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench, and then click **New Folder** to open the **New Folder** page, as shown in Figure 7. - - ![Create a new folder on the New Folder page](images/surface-deploymdt-fig7.png "Create a new folder on the New Folder page") - - *Figure 7. Create a new folder on the New Folder page* - -2. On the **New Folder** page a series of steps is displayed, as follows: - * **General Settings** – Enter a name for the folder in the **Folder Name** field (for example, Windows 10 Enterprise), add any comments you want in the **Comments** field, and then click **Next**. - * **Summary** – Review the specified configuration of the new folder on this page, and then click **Next**. - * **Progress** – A progress bar will be displayed on this page while the folder is created. This page will likely pass very quickly. - * **Confirmation** – When the new folder has been created, a **Confirmation** page displays the success of the operation. Click **Finish** to close the **New Folder** page. -3. Expand the Operating Systems folder to see the newly created folder. -4. Right-click the newly created folder, and then click **Import Operating System** to launch the Import Operating System Wizard, as shown in Figure 8. - - ![Import source files with the Import Operating System Wizard](images/surface-deploymdt-fig8.png "Import source files with the Import Operating System Wizard") - - *Figure 8. Import source files with the Import Operating System Wizard* - -5. The Import Operating System Wizard walks you through the import of your operating system files, as follows: - * **OS Type** – Click **Full Set of Source Files** to specify that you are importing the Windows source files from installation media, and then click **Next**. - * **Source** – Click **Browse**, move to and select the folder or drive where your installation files are found, and then click **Next**. - * **Destination** – Enter a name for the new folder that will be created to hold the installation files, and then click **Next**. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - * **Progress** – While the installation files are imported, a progress bar is displayed on this page. - * **Confirmation** – When the operating system import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Operating System Wizard. -6. Expand the folder you created in Step 1 to see the entry for your newly imported installation files for Windows 10. - -Now that you’ve imported the installation files from the installation media, you have the files that MDT needs to create the reference image and you are ready to instruct MDT how to create the reference image to your specifications. - -### Create reference image task sequence - -As described in the [Deployment tools](#deployment-tools) section of this article, the goal of creating a reference image is to keep the Windows environment as simple as possible while performing tasks that would be common to all devices being deployed. You should now have a basic MDT deployment share configured with default options and a set of unaltered, factory installation files for Windows 10. This simple configuration is perfect for reference image creation because the deployment share contains no applications or drivers to interfere with the process. - ->[!NOTE] ->For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications. - -To create the reference image task sequence, follow these steps: - -1. Right-click the **Task Sequences** folder under your deployment share in the Deployment Workbench, and then click **New Task Sequence** to start the New Task Sequence Wizard, as shown in Figure 9. - - ![Create new task sequence to deploy and update a Windows 10 reference environment](images/surface-deploymdt-fig9.png "Create new task sequence to deploy and update a Windows 10 reference environment") - - *Figure 9. Create a new task sequence to deploy and update a Windows 10 reference environment* - -2. The New Task Sequence Wizard presents a series of steps, as follows: - * **General Settings** – Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**. - >[!NOTE] - >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters. - * **Select Template** – Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**. - * **Select OS** – Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**. - * **Specify Product Key** – Click **Do Not Specify a Product Key at This Time**, and then click **Next**. - * **OS Settings** – Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**. - * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**. - >[!NOTE] - >During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence. - * **Progress** – While the task sequence is created, a progress bar is displayed on this page. - * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard. -3. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**. -4. Select the **Task Sequence** tab to view the steps that are included in the Standard Client Task Sequence template, as shown in Figure 10. - - ![Enable Windows Update in the reference image task sequence](images/surface-deploymdt-fig10.png "Enable Windows Update in the reference image task sequence") - - *Figure 10. Enable Windows Update in the reference image task sequence* - -5. Select the **Windows Update (Pre-Application Installation)** option, located under the **State Restore** folder. -6. Click the **Options** tab, and then clear the **Disable This Step** check box. -7. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option. -8. Click **OK** to apply changes to the task sequence, and then close the task sequence properties window. - -### Generate and import MDT boot media - -To boot the reference virtual machine from the network, the MDT deployment share first must be updated to generate boot media with the resources that have been added in the previous sections. - -To update the MDT boot media, follow these steps: - -1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard, as shown in Figure 11. - - ![Generate boot images with the Update Deployment Share Wizard](images/surface-deploymdt-fig11.png "Generate boot images with the Update Deployment Share Wizard") - - *Figure 11. Generate boot images with the Update Deployment Share Wizard* - -2. Use the Update Deployment Share Wizard to create boot images with the following process: - * **Options** – Click **Completely Regenerate the Boot Images**, and then click **Next**. - >[!NOTE] - >Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page. - * **Summary** – Review the specified options on this page before you click **Next** to begin generation of boot images. - * **Progress** – While the boot images are being generated, a progress bar is displayed on this page. - * **Confirmation** – When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard. -3. Confirm that boot images have been generated by navigating to the deployment share in File Explorer and opening the Boot folder. The following files should be displayed, as shown in Figure 12: - * **LiteTouchPE_x86.iso** - * **LiteTouchPE_x86.wim** - * **LiteTouchPE_x64.iso** - * **LiteTouchPE_x64.wim** - - - ![Boot images in the Boot folder after Update Deployment Share Wizard completes](images/surface-deploymdt-fig12.png "Boot images in the Boot folder after Update Deployment Share Wizard completes") - - *Figure 12. Boot images displayed in the Boot folder after completion of the Update Deployment Share Wizard* - -To import the MDT boot media into WDS for PXE boot, follow these steps: - -1. Open Windows Deployment Services from the Start menu or Start screen. -2. Expand **Servers** and your deployment server. -3. Click the **Boot Images** folder, as shown in Figure 13. - - ![Start the Add Image Wizard from the Boot Images folder](images/surface-deploymdt-fig13.png "Start the Add Image Wizard from the Boot Images folder") - - *Figure 13. Start the Add Image Wizard from the Boot Images folder* - -4. Right-click the **Boot Images** folder, and then click **Add Boot Image** to open the Add Image Wizard, as shown in Figure 14. - - ![Import the LiteTouchPE_x86.wim MDT boot image](images/surface-deploymdt-fig14.png "Import the LiteTouchPE_x86.wim MDT boot image") - - *Figure 14. Import the LiteTouchPE_x86.wim MDT boot image* - -5. The Add Image Wizard displays a series of steps, as follows: - * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, click **Open**, and then click **Next**. - * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options. - * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**. - * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard. - ->[!NOTE] ->Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine. - -If your WDS configuration is properly set up to respond to PXE clients, you should now be able to boot from the network with any device with a network adapter properly configured for network boot (PXE). - ->[!NOTE] ->If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351). - -### Deploy and capture a reference image - -Your deployment environment is now set up to create a reference image for Windows 10 complete with Windows Updates. - ->[!NOTE] ->You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.

-By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your organization is ready for feature updates and new versions of Windows 10. - -You can now boot from the network with a virtual machine to run the prepared task sequence and generate a reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the following: - -* Use a Generation 1 virtual machine for the simplicity of drivers and to ensure maximum compatibility with both BIOS and UEFI devices. -* Ensure your virtual machine has at least 1 GB of system memory at boot. You can ensure that the virtual machine has at least 1 GB of memory at boot but allow the memory to adjust after boot by using Dynamic Memory. You can read more about Dynamic Memory in the [Hyper-V Dynamic Memory Overview](https://technet.microsoft.com/library/hh831766). -* Ensure your virtual machine uses a legacy network adapter to support network boot (PXE); that network adapter should be connected to the same network as your deployment server, and that network adapter should receive an IP address automatically via DHCP. -* Configure your boot order such that PXE Boot is the first option. - -When your virtual machine (VM) is properly configured and ready, start or boot the VM and be prepared to press the F12 key when prompted to boot via PXE from the WDS server. - -Perform the reference image deployment and capture using the following steps: - -1. Start your virtual machine and press the F12 key when prompted to boot to the WDS server via PXE, as shown in Figure 15. - - ![Start network boot by pressing the F12 key](images/surface-deploymdt-fig15.png "Start network boot by pressing the F12 key") - - *Figure 15. Start network boot by pressing the F12 key* - -2. Click **Run the Deployment Wizard to Install a New Operating System** to begin the MDT deployment process. -3. Enter your MDT username and password, a user with rights to access the MDT deployment share over the network and with rights to write to the Captures folder in the deployment share. -4. After your credentials are validated, the Windows Deployment Wizard will start and process the boot and deployment share rules. -5. The Windows Deployment Wizard displays a series of steps, as follows: - * **Task Sequence** – Select the task sequence you created for reference image creation (it should be the only task sequence available), and then click **Next**. - * **Computer Details** – Leave the default computer name, workgroup name, and the **Join a Workgroup** option selected, and then click **Next**. The computer name and workgroup will be reset when the image is prepared by Sysprep and captured. - * **Move Data and Settings** – Leave the default option of **Do Not Move User Data and Settings** selected, and then click **Next**. - * **User Data (Restore)** – Leave the default option of **Do Not Restore User Data and Settings** selected, and then click **Next**. - * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**. - * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**. - - ![Capture an image of the reference machine](images/surface-deploymdt-fig16.png "Capture an image of the reference machine") - - *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment* - - * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image. - -6. Your reference task sequence will run with the specified options. - -As the task sequence processes the deployment, it will automatically perform the following tasks: -* Install the Windows 10 image from the installation files you supplied -* Reboot into Windows 10 -* Run Windows updates until all Windows updates have been installed and the Windows environment is fully up to date -* Run Sysprep and prepare the Windows 10 environment for deployment -* Reboot into WinPE -* Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment share - ->[!NOTE] ->The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment. - -When the task sequence completes, your virtual machine will be off and a new reference image complete with updates will be ready in your MDT deployment share for you to import it and prepare your deployment environment for deployment to Surface devices. - -## Deploy Windows 10 to Surface devices - -With a freshly prepared reference image, you are now ready to configure the deployment process for deployment to the Surface devices. Use the steps detailed in this section to produce a deployment process that requires minimal effort on each Surface device to produce a complete and ready-to-use Windows 10 environment. - -### Import reference image - -After the reference image has been created and stored in the Captures folder, you need to add it to your MDT deployment share as an image for deployment. You perform this task by using the same process that you used to import the installation files for Windows 10. - -To import the reference image for deployment, use the following steps: - -1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench or the folder you created in when you imported Windows 10 installation files, and then click **Import Operating System** to start the Import Operating System Wizard. -2. Import the custom image with the Import Operating System Wizard by using the following steps: - * **OS Type** – Select Custom Image File to specify that you are importing the Windows source files from installation media, and then click **Next**. - * **Image** – Click **Browse**, and then navigate to and select the image file in the **Captures** folder in your deployment share. Select the **Move the Files to the Deployment Share Instead of Copying Them** checkbox if desired. Click **Next**. - * **Setup** – Click **Setup Files are not Neededf**, and then click **Next**. - * **Destination** – Enter a name for the new folder that will be created to hold the image file, and then click **Next**. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - * **Progress** – While the image is imported, a progress bar is displayed on this page. - * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard. -3. Expand the folder in which you imported the image to verify that the import completed successfully. - ->[!NOTE] ->You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media. - -Now that your updated reference image is imported, it is time to prepare your deployment environment for deployment to Surface devices complete with drivers, applications, and automation. - -### Import Surface drivers - -Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and components, Surface firmware and driver packs also include updates for the firmware of those components. By installing the Surface firmware and driver pack, you will also bring your device’s firmware up to date. If you have not done so already, download the drivers for your Surface device listed at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). - -Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05). - -To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps: - -1. Extract the downloaded archive (.zip) file to a folder that you can easily locate. Keep the driver files separate from other drivers or files. -2. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share. -3. If you have not already created a folder structure by operating system version, you should do so now and create under the Windows 10 x64 folder a new folder for Surface Pro 4 drivers named Surface Pro 4. Your Out-of-Box Drivers folder should resemble the following structure, as shown in Figure 17: - * WinPE x86 - * WinPE x64 - * Windows 10 x64 - * Microsoft Corporation - * Surface Pro 4 - - ![Recommended folder structure for drivers](images/surface-deploymdt-fig17.png "Recommended folder structure for drivers") - - *Figure 17. The recommended folder structure for drivers* - -4. Right-click the **Surface Pro 4** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 18. - - ![Progress page during drivers import](images/surface-deploymdt-fig18.png "Progress page during drivers import") - - *Figure 18. The Progress page during drivers import* - -5. The Import Driver Wizard displays a series of steps, as follows: - * **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 4 firmware and drivers in Step 1. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - * **Progress** – While the drivers are imported, a progress bar is displayed on this page. - * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard. -6. Click the **Surface Pro 4** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 19. - - ![Drivers for Surface Pro 4 imported and organized in the MDT deployment share](images/surface-deploymdt-fig19.png "Drivers for Surface Pro 4 imported and organized in the MDT deployment share") - - *Figure 19. Drivers for Surface Pro 4 imported and organized in the MDT deployment share* - -### Import applications - -You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04). - -#### Import Microsoft Office 365 Installer - -The Office Deployment Tool is a free download available in the Microsoft Download Center that allows IT professionals and system administrators to download and prepare Office installation packages for Office Click-to-Run. You can find the Office Deployment Tool and instructions to download Click-to-Run for Office 365 installation source files at [Download Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219424). - -Download and install the version of Office Deployment Tool (ODT), for Office 2013 or Office 2016, that fits your organization’s needs and use the steps provided by that page to download the Office installation files for use with MDT. - -After you have downloaded the source files for your version of Office Click-to-Run, you need to edit the Configuration.xml file with instructions to install Office Click-to-Run silently. To configure the Office Deployment Tool for silent installation, follow these steps: - -1. Right-click the existing **Configuration.xml** file, and then click **Edit**. -2. This action opens the file in Notepad. Replace the existing text with the following: - ``` - - - - - - - - ``` - -3. Save the file. - -The default behavior of Setup.exe is to look for the source files in the path that contains **Setup.exe**. If the installation files are not found in this folder, the Office Deployment Tool will default to online source files from an Internet connection. - -For MDT to perform an automated installation of office, it is important to configure the **Display Level** option to a value of **None**. This setting is used to suppress the installation dialog box for silent installation. It is required that the **AcceptEULA** option is set to **True** to accept the license agreement when the **Display Level** option is set to **None**. With both of these options configured, the installation of Office will occur without the display of dialog boxes which could potentially cause the installation to pause until a user can address an open dialog box. - -Now that the installation and configuration files are prepared, the application can be imported into the deployment share by following these steps: - -1. Open the Deployment Workbench. -2. Expand the deployment share, right-click the **Applications** folder, and then click **New Application** to start the New Application Wizard, as shown in Figure 20. - - ![Enter the command and directory for Office 2016 Click-to-Run](images/surface-deploymdt-fig20.png "Enter the command and directory for Office 2016 Click-to-Run") - - *Figure 20. Enter the command and directory for Office 2016 Click-to-Run* - -3. The New Application Wizard walks you through importing the Office 2016 Click-to-Run files, as follows: - * **Application Type** – Click **Application with Source Files**, and then click **Next**. - * **Details** – Enter a name for the application (for example, Office 2016 Click-to-Run) in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**. - * **Source** – Click **Browse** to navigate to and select the folder where you downloaded the Office installation files with the Office Deployment Tool, and then click **Next**. - * **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name. - * **Command Details** – Enter the Office Deployment Tool installation command line: - - `Setup.exe /configure configuration.xml` - - * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - * **Progress** – While the installation files are imported, a progress bar is displayed on this page. - * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard. - -4. You should now see the **Office 2016 Click-to-Run** item under the **Applications** folder in the Deployment Workbench. - -#### Import Surface app installer - -The Surface app is a Microsoft Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/support/apps-and-windows-store/surface-app?os=windows-10). - -To perform a deployment of the Surface app, you will need to download the app files through Microsoft Store for Business. You can find detailed instructions on how to download the Surface app through Microsoft Store for Business at [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business). - -After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you can import these files into the deployment share through the same process as a desktop application like Microsoft Office. Both the AppxBundle and license files must be together in the same folder for the import process to complete successfully. Use the following command on the **Command Details** page to install the Surface app: - ``` -DISM.exe /Online /Add-ProvisionedAppxPackage /PackagePath: Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle /LicensePath: Microsoft.SurfaceHub_8wekyb3d8bbwe_a53ef8ab-9dbd-dec1-46c5-7b664d4dd003.xml - ``` - -### Create deployment task sequence - -The next step in the process is to create the deployment task sequence. This task sequence will be configured to completely automate the deployment process and will work along with customized deployment share rules to reduce the need for user interaction down to a single touch. Before you can make customizations to include all of this automation, the new task sequence has to be created from a template. - -To create the deployment task sequence, follow these steps: -1. In the Deployment Workbench, under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard. -2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard: - * **General Settings** – Enter an identifier for the deployment task sequence in the **Task Sequence ID** field, a name for the deployment task sequence in the **Task Sequence Name** field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, then click **Next**. - >[!NOTE] - >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters. - * **Select Template** – Click **Standard Client Task Sequence** from the drop-down menu, and then click **Next**. - * **Select OS** – Navigate to and select the reference image that you imported, and then click **Next**. - * **Specify Product Key** – Select the product key entry that fits your organization's licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**. - * **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**. - * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence. - * **Progress** – While the task sequence is being created, a progress bar is displayed on this page. - * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard. - -After the task sequence is created it can be modified for increased automation, such as the installation of applications without user interaction, the selection of drivers, and the installation of Windows updates. - -1. Click the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**. -2. Click the **Task Sequence** tab to view the steps that are included in the new task sequence. -3. Click the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder. -4. Click the **Options** tab, and then clear the **Disable This Step** check box. -5. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option. -6. Between the two **Windows Update** steps is the **Install Applications** step. Click the **Install Applications** step, and then click **Add**. -7. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 21. - - ![A new Install Application step in the deployment task sequence](images/surface-deploymdt-fig21.png "A new Install Application step in the deployment task sequence") - - *Figure 21. A new Install Application step in the deployment task sequence* - -8. On the **Properties** tab of the new **Install Application** step, enter **Install Microsoft Office 2016 Click-to-Run** in the **Name** field. -9. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share. -10. Select Office 2016 Click-to-Run from the list of applications, and then click **OK**. -11. Repeat Steps 6 through 10 for the Surface app. -12. Expand the **Preinstall** folder, and then click the **Enable BitLocker (Offline)** step. -13. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu. -14. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 22), configure the following options: - * **Name** – Set DriverGroup001 - * **Task Sequence Variable** – DriverGroup001 - * **Value** – Windows 10 x64\%Make%\%Model% - - ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images/surface-deploymdt-fig22.png "Configure a new Set Task Sequence Variable step in the deployment task sequence") - - *Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence* - -15. Select the **Inject Drivers** step, the next step in the task sequence. -16. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 23), configure the following options: - * In the **Choose a selection profile** drop-down menu, select **Nothing**. - * Click the **Install all drivers from the selection profile** button. - - ![Configure deployment task sequence not to choose the drivers to inject into Windows](images/surface-deploymdt-fig23.png "Configure deployment task sequence not to choose the drivers to inject into Windows") - - *Figure 23. Configure the deployment task sequence not to choose the drivers to inject into Windows* - -17. Click **OK** to apply changes to the task sequence and close the task sequence properties window. - -### Configure deployment share rules - -The experience of users during a Windows deployment is largely governed by a set of rules that control how the MDT and Windows Deployment Wizard experience should proceed. These rules are stored in two configuration files. Boot media rules are stored in the Bootstrap.ini file that is processed when the MDT boot media is first run. Deployment share rules are stored in the Customsettings.ini file and tell the Windows Deployment Wizard how to operate (for example, what screens to show and what questions to ask). By using these the rules stored in these two files, you can completely automate the process of deployment to where you will not be asked to supply the answer to any questions during deployment and the deployment will perform all tasks completely on its own. - -#### Configure Bootstrap.ini - -Bootstrap.ini is the simpler of the two rule files. The purpose it serves is to provide instructions from when the MDT boot media starts on a device until the Windows Deployment Wizard is started. The primary use of this file is to provide the credentials that will be used to log on to the deployment share and start the Windows Deployment Wizard. - -To automate the boot media rules, follow these steps: - -1. Right-click your deployment share in the Deployment Workbench, and then click **Properties**. -2. Click the **Rules** tab, and then click **Edit Bootstrap.ini** to open Bootstrap.ini in Notepad. -3. Replace the text of the Bootstrap.ini file with the following text: - - ``` - [Settings] - Priority=Model,Default - - [Surface Pro 4] - DeployRoot=\\STNDeployServer\DeploymentShare$ - UserDomain=STNDeployServer - UserID=MDTUser - UserPassword=P@ssw0rd - SkipBDDWelcome=YES - - [Surface Pro 4] - DeployRoot=\\STNDeployServer\DeploymentShare$ - ``` - -4. Press Ctrl+S to save Bootstrap.ini, and then close Notepad. - -You can use a number of variables in both boot media and deployment share rules to apply rules only when certain conditions are met. For example, you can use MAC addresses to identify specific machines where MDT will run fully automated, but will run with required user interaction on all other devices. You can also use the model of the device to instruct the MDT boot media to perform different actions based on computer model, much as the way **[Surface Pro 4]** is listed in Step 3. You can use the following cmdlet in a PowerShell session to see what the Model variable would be on a device: - -```wmic csproduct get name``` - -Rules used in the text shown in Step 3 include: - -* **DeployRoot** – Used to specify the deployment share that the MDT boot media will connect to. -* **UserDomain** – Used to specify the domain or computer where the MDT user account is located. -* **UserID** – Used to specify the MDT user account for automatic logon to the deployment share. -* **UserPassword** – Used to specify the MDT user password for automatic logon to the deployment share. -* **SkipBDDWelcome** – Used to skip the Welcome page and to start the Windows Deployment Wizard immediately using the specified credentials and deployment share. - -#### Configure CustomSettings.ini - -The bulk of the rules used to automate the MDT deployment process are stored in the deployment share rules, or the Customsettings.ini file. In this file you can answer and hide all of the prompts from the Windows Deployment Wizard, which yields a deployment experience that mostly consists of a progress bar that displays the automated actions occurring on the device. The deployment share rules are shown directly in the **Rules** tab of the deployment share properties, as shown in Figure 24. - -![Deployment share rules configured for automation of the Windows Deployment Wizard](images/surface-deploymdt-fig24.png "Deployment share rules configured for automation of the Windows Deployment Wizard") - -*Figure 24. Deployment share rules configured for automation of the Windows Deployment Wizard* - -To configure automation for the production deployment, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties: - - ``` -[Settings] -Priority=Model,Default -Properties=MyCustomProperty - -[Surface Pro 4] -SkipTaskSequence=YES -TaskSequenceID=Win10SP4 - -[Default] -OSInstall=Y -SkipCapture=YES -SkipAdminPassword=YES -SkipProductKey=YES -SkipComputerBackup=YES -SkipBitLocker=YES -SkipBDDWelcome=YES -SkipUserData=YES -UserDataLocation=AUTO -SkipApplications=YES -SkipPackageDisplay=YES -SkipComputerName=YES -SkipDomainMembership=YES -JoinDomain=contoso.com -DomainAdmin=MDT -DomainAdminDomain=contoso -DomainAdminPassword=P@ssw0rd -SkipLocaleSelection=YES -KeyboardLocale=en-US -UserLocale=en-US -UILanguage=en-US -SkipTimeZone=YES -TimeZoneName=Pacific Standard Time -UserID=MDTUser -UserDomain=STNDeployServer -UserPassword=P@ssw0rd -SkipSummary=YES -SkipFinalSummary=YES -FinishAction=LOGOFF - ``` -Rules used in this example include: - -* **SkipTaskSequence** – This rule is used to skip the **Task Sequence** page where the user would have to select between available task sequences. -* **TaskSequenceID** – This rule is used to instruct the Windows Deployment Wizard to run a specific task sequence. In this scenario the task sequence ID should match the deployment task sequence you created in the previous section. -* **OSInstall** – This rule indicates that the Windows Deployment Wizard will be performing an operating system deployment. -* **SkipCapture** – This rule prevents the **Capture Image** page from being displayed, prompting the user to create an image of this device after deployment. -* **SkipAdminPassword** – This rule prevents the **Admin Password** page from being displayed. The Administrator password specified in the task sequence will still be applied. -* **SkipProductKey** – This rule prevents the **Specify Product Key** page from being displayed. The product key specified in the task sequence will still be applied. -* **SkipComputerBackup** – This rule prevents the **Move Data and Settings** page from being displayed, where the user is asked if they would like to make a backup of the computer before performing deployment. -* **SkipBitLocker** – This rule prevents the **BitLocker** page from being displayed, where the user is asked if BitLocker Drive Encryption should be used to encrypt the device. -* **SkipBDDWelcome** – This rule prevents the **Welcome** page from being displayed, where the user is prompted to begin Windows deployment. -* **SkipUserData** – This rule prevents the **User Data (Restore)** page from being displayed, where the user is asked to restore previously backed up user data in the new environment. -* **UserDataLocation** – This rule prevents the user from being prompted to supply a location on the User Data (Restore) page. -* **SkipApplications** – This rule prevents the **Applications** page from being displayed, where the user is prompted to select from available applications to be installed in the new environment. -* **SkipPackageDisplay** – This rule prevents the **Packages** page from being displayed, where the user is prompted to select from available packages to be installed in the new environment. -* **SkipComputerName** – This rule, when combined with the **SkipDomainMembership** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup. -* **SkipDomainMembership** – This rule, when combined with the **SkipComputerName** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup. -* **JoinDomain** – This rule instructs the Windows Deployment Wizard to have the computer join the specified domain using the specified credentials. -* **DomainAdmin** – This rule specifies the username for the domain join operation. -* **DomainAdminDomain** – This rule specifies the domain for the username for the domain join operation. -* **DomainAdminPassword** – This rule specifies the password for the username for the domain join operation. -* **SkipLocaleSelection** – This rule, along with the **SkipTimeZone** rule, prevents the **Locale and Time** page from being displayed. -* **KeyboardLocale** – This rule is used to specify the keyboard layout for the deployed Windows environment. -* **UserLocale** – This rule is used to specify the geographical locale for the deployed Windows environment. -* **UILanguage** – This rule is used to specify the language to be used in the deployed Windows environment. -* **SkipTimeZone** – This rule, along with the **SkipLocaleSelection** rule, prevents the **Locale and Time** page from being displayed. -* **TimeZoneName** – This rule is used to specify the time zone for the deployed Windows environment. -* **UserID** – This rule is used to supply the username under which the MDT actions and task sequence steps are performed. -* **UserDomain** – This rule is used to supply the domain for the username under which the MDT actions and task sequence steps are performed. -* **UserPassword** – This rule is used to supply the password for the username under which the MDT actions and task sequence steps are performed. -* **SkipSummary** – This rule prevents the **Summary** page from being displayed before the task sequence is run, where the user is prompted to confirm the selections before beginning the task sequence. -* **SkipFinalSummary** – This rule prevents the **Summary** page from being displayed when the task sequence has completed. -* **FinishAction** – This rule specifies whether to log out, reboot, or shut down the device after the task sequence has completed. - -You can read about all of the possible deployment share and boot media rules in the [Microsoft Deployment Toolkit Reference](https://technet.microsoft.com/library/dn781091). - -### Update and import updated MDT boot media - -The process to update MDT boot media with these new rules and changes to the deployment share is very similar to the process to generate boot media from scratch. - -To update the MDT boot media, follow these steps: - -1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard. -2. The Update Deployment Share Wizard displays a series of steps, as follows: - * **Options** – Choose between the **Completely Regenerate the Boot Images** or **Optimize the Boot Image Updating Process** options. Completely regenerating the boot images will take more time, but produces boot media that is not fragmented and does not contain out of date components. Optimizing the boot image updating process will proceed more quickly, but may result in longer load times when booting via PXE. Click **Next**. - * **Summary** – Review the specified options on this page before you click **Next** to begin the update of boot images. - * **Progress** – While the boot images are being updated a progress bar is displayed on this page. - * **Confirmation** – When the boot images have been updated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard. - -To import the updated MDT boot media into WDS for PXE boot, follow these steps: - -1. Open Windows Deployment Services from the Start menu or Start screen. -2. Expand **Servers** and your deployment server. -3. Click the **Boot Images** folder. -4. Right-click the existing MDT boot image, and then click **Replace Image** to open the Replace Boot Image Wizard. -5. Replace the previously imported MDT boot image with the updated version by using these steps in the Replace Boot Image Wizard: - * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, and then click **Open**. Click **Next**. - * **Available Images** – Only one image should be listed and selected **LiteTouch Windows PE (x86)**, click **Next**. - * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options. - * **Summary** – Review your selections for importing a boot image into WDS, and then click **Next**. - * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Replace Boot Image Wizard. -6. Right-click the **Boot Images** folder, and then click **Add Image** to open the Add Image Wizard. -7. Add the new 64-bit boot image for 64-bit UEFI device compatibility with the Add Image Wizard , as follows: - * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, select **LiteTouchPE_x64.wim**, and then click **Open**. Click **Next**. - * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options. - * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**. - * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard. - ->[!NOTE] ->Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices. - -### Deploy Windows to Surface - -With all of the automation provided by the deployment share rules and task sequence, performing the deployment on each Surface device becomes as easy as a single touch. - ->[!NOTE] ->For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25. - -![Set boot priority for PXE boot](images/surface-deploymdt-fig25.png "Set boot priority for PXE boot") - -*Figure 25. Setting boot priority for PXE boot* - -On a properly configured Surface device, simply turn on the device and press Enter when you are prompted to boot from the network. The fully automated MDT deployment process will then take over and perform the following tasks: - -* The MDT boot media will be loaded to your Surface device via the network -* The MDT boot media will use the provided credentials and rules to connect to the MDT deployment share -* The task sequence and drivers will be automatically selected for your device via make and model information -* The task sequence will deploy your updated Windows 10 image to the device complete with the selected drivers -* The task sequence will join your device to the domain -* The task sequence will install the applications you specified, Microsoft Office and Surface app -* Windows Update will run, installing any new Windows Updates or updates for installed applications, like Microsoft Office -* The task sequence will complete silently and log out of the device - ->[!NOTE] ->For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press Power to boot the system immediately to a USB or network device. - -The resulting configuration is a Surface device that is logged out and ready for an end user to enter their credentials, log on, and get right to work. The applications and drivers they need are already installed and up to date. - - +> MDT is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). +For the latest information about using MDT, refer to [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index f0b8a6490f..7431a22a8a 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -7,8 +7,8 @@ ms.pagetype: surface, devices ms.sitesec: library author: coveminer ms.reviewer: -manager: dansimp -ms.author: v-jokai +manager: laurawi +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/dma-protect.md b/devices/surface/dma-protect.md new file mode 100644 index 0000000000..93909724b7 --- /dev/null +++ b/devices/surface/dma-protect.md @@ -0,0 +1,22 @@ +--- +title: Surface DMA Protection +description: This article describes DMA protection on compatible Surface devices +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 6/10/2020 +ms.reviewer: carlol +manager: laurawi +audience: itpro +--- +# DMA Protection on Surface devices + +Direct Memory Access (DMA) protection is designed to mitigate potential security vulnerabilities associated with using removable SSDs or external storage devices. Newer Surface devices come with DMA Protection enabled by default. These include Surface Pro 7, Surface Laptop 3, and Surface Pro X. To check the presence of DMA protection feature on your device, open System Information (**Start** > **msinfo32.exe**), as shown in the figure below. + +![System information showing DMA Protection enabled](images/systeminfodma.png) + +If a Surface removable SSD is tampered with, the device will shutoff power. The resulting reboot causes UEFI to wipe memory, to erase any residual data. diff --git a/devices/surface/documentation/surface-system-sku-reference.md b/devices/surface/documentation/surface-system-sku-reference.md index 0d49be965e..0014ad0c25 100644 --- a/devices/surface/documentation/surface-system-sku-reference.md +++ b/devices/surface/documentation/surface-system-sku-reference.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- # Surface System SKU Reference @@ -26,6 +26,7 @@ System SKU is a variable (along with System Model and others) stored in System M | Surface Book 2 15inch | Surface Book 2 | Surface_Book_1793 | | Surface Go Consumer | Surface Go | Surface_Go_1824_Consumer | | Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial | +| Surface Go 2 | Surface Go 2 | Surface_Go_2_1927 | | Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer | | Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | | Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md index 65453aeaf5..36f05515f3 100644 --- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md +++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md @@ -3,7 +3,7 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface) description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D ms.reviewer: -manager: dansimp +manager: laurawi keywords: network, wireless, device, deploy, authentication, protocol ms.localizationpriority: medium ms.prod: w10 @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md index 18011a1ca5..4f3c602781 100644 --- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md +++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md @@ -97,6 +97,29 @@ To support Surface Laptop 3 with Intel Processor, import the following folders: - SurfaceUpdate\SurfaceSerialHub - SurfaceUpdate\SurfaceHotPlug - SurfaceUpdate\Itouch + +Importing the following folders will enable full keyboard, trackpad, and touch functionality in PE for Surface Laptop 3. + +- IclSerialIOGPIO +- IclSerialIOI2C +- IclSerialIOSPI +- IclSerialIOUART +- itouch +- IclChipset +- IclChipsetLPSS +- IclChipsetNorthpeak +- ManagementEngine +- SurfaceAcpiNotify +- SurfaceBattery +- SurfaceDockIntegration +- SurfaceHidMini +- SurfaceHotPlug +- SurfaceIntegration +- SurfaceSerialHub +- SurfaceService +- SurfaceStorageFwUpdate + + > [!NOTE] > Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released. diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 8e512c1511..6eb848da41 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -7,12 +7,12 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi --- # Enroll and configure Surface devices with SEMM @@ -24,7 +24,7 @@ For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Manage A streamlined method of managing firmware from the cloud on Surface Pro 7,Surface Pro X and Surface Laptop 3 is now available via public preview. For more information,refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). > [!NOTE] -> SEMM is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). +> SEMM is supported on Surface Pro X via the UEFI Manager only. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). #### Download and install Microsoft Surface UEFI Configurator The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center. @@ -57,8 +57,10 @@ To create a Surface UEFI configuration package, follow these steps: 6. Click **Password Protection** to add a password to Surface UEFI. This password will be required whenever you boot to UEFI. If this password is not entered, only the **PC information**, **About**, **Enterprise management**, and **Exit** pages will be displayed. This step is optional. 7. When you are prompted, enter and confirm your chosen password for Surface UEFI, and then click **OK**. If you want to clear an existing Surface UEFI password, leave the password field blank. 8. If you do not want the Surface UEFI package to apply to a particular device, on the **Choose which Surface type you want to target** page, click the slider beneath the corresponding Surface Book or Surface Pro 4 image so that it is in the **Off** position. (As shown in Figure 3.) + > [!NOTE] + > You must select a device as none are selected by default. - ![Choose devices for package compatibility](images/surface-semm-enroll-fig3.png "Choose devices for package compatibility") + ![Choose devices for package compatibility](images/surface-semm-enroll-fig3.jpg "Choose devices for package compatibility") *Figure 3. Choose the devices for package compatibility* @@ -107,11 +109,11 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo 3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so. 4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows: * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate. - * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8. + * Surface UEFI will prompt you to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8. - ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint") - - *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint* + ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint") + + *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint* * Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file. diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index 4acda64004..a68242b88a 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -3,7 +3,7 @@ title: Ethernet adapters and Surface deployment (Surface) description: This article provides guidance and answers to help you perform a network deployment to Surface devices. ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0 ms.reviewer: -manager: dansimp +manager: laurawi keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB ms.localizationpriority: medium ms.prod: w10 @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- @@ -28,7 +28,7 @@ Network deployment to Surface devices can pose some unique challenges for system Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter. -The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters. +The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. For more information on potential conflicts with shared adapters, see [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) later in this article. Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware. @@ -67,7 +67,6 @@ For Windows 10, version 1511 and later – including the Windows Assessment and ## Manage MAC addresses with removable Ethernet adapters - Another consideration for administrators performing Windows deployment over the network is how you will identify computers when you use the same Ethernet adapter to deploy to more than one computer. A common identifier used by deployment technologies is the Media Access Control (MAC) address that is associated with each Ethernet adapter. However, when you use the same Ethernet adapter to deploy to multiple computers, you cannot use a deployment technology that inspects MAC addresses because there is no way to differentiate the MAC address of the removable adapter when used on the different computers. The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks. @@ -85,7 +84,7 @@ To access the firmware of a Surface device, follow these steps: When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**. -The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog. +The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374), a blog post on the Core Infrastructure and Security Blog.   diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml index edb22aac8c..0c309e50b7 100644 --- a/devices/surface/get-started.yml +++ b/devices/surface/get-started.yml @@ -24,99 +24,93 @@ landingContent: linkLists: - linkListType: overview links: - - text: Surface Pro 7 for Business - url: https://www.microsoft.com/surface/business/surface-pro-7 - - text: Surface Pro X for Business - url: https://www.microsoft.com/surface/business/surface-pro-x - - text: Surface Laptop 3 for Business - url: https://www.microsoft.com/surface/business/surface-laptop-3 - - text: Surface Book 2 for Business - url: https://www.microsoft.com/surface/business/surface-book-2 - - text: Surface Studio 2 for Business - url: https://www.microsoft.com/surface/business/surface-studio-2 - - text: Surface Go - url: https://www.microsoft.com/surface/business/surface-go - - linkListType: video - links: - - text: Microsoft Mechanics Surface videos - url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ - + - text: Surface Go 2 for Business + url: https://www.microsoft.com/surface/business/surface-go-2 + - text: Surface Book 3 for Business + url: https://www.microsoft.com/surface/business/surface-book-3 + - text: Explore all Surface family products + url: https://www.microsoft.com/surface/business + # Card (optional) - title: Get started linkLists: - linkListType: get-started links: - - text: Surface and Endpoint Configuration Manager considerations - url: considerations-for-surface-and-system-center-configuration-manager.md - - text: Wake On LAN for Surface devices - url: wake-on-lan-for-surface-devices.md - + - text: Surface Book 3 GPU technical overview + url: surface-book-gpu-overview.md + - text: Surface Book 3 Quadro RTX 3000 technical overview + url: surface-book-quadro.md + - text: What’s new in Surface Dock 2 + url: surface-dock-whats-new.md + # Card - title: Deploy Surface devices linkLists: - linkListType: deploy links: - - text: Manage and deploy Surface driver and firmware updates - url: manage-surface-driver-and-firmware-updates.md + - text: Surface Deployment Accelerator tool + url: microsoft-surface-deployment-accelerator.md - text: Autopilot and Surface devices url: windows-autopilot-and-surface-devices.md - - text: Deploying, managing, and servicing Surface Pro X - url: surface-pro-arm-app-management.md - - # Card + - text: Windows Virtual Desktop on Surface + url: windows-virtual-desktop-surface.md + + # Card - title: Manage Surface devices linkLists: - linkListType: how-to-guide links: - - text: Optimize Wi-Fi connectivity for Surface devices - url: surface-wireless-connect.md + - text: Manage and deploy Surface driver and firmware updates + url: manage-surface-driver-and-firmware-updates.md - text: Best practice power settings for Surface devices url: maintain-optimal-power-settings-on-Surface-devices.md - - text: Manage battery limit with UEFI - url: battery-limit.md + - text: Optimize Wi-Fi connectivity for Surface devices + url: surface-wireless-connect.md # Card - - title: Secure Surface devices + - title: Explore security guidance linkLists: - linkListType: how-to-guide links: + - text: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM) + url: secure-surface-dock-ports-semm.md - text: Intune management of Surface UEFI settings url: surface-manage-dfci-guide.md - - text: Surface Enterprise Management Mode (SEMM) - url: surface-enterprise-management-mode.md - text: Surface Data Eraser tool url: microsoft-surface-data-eraser.md - - # Card + + # Card - title: Discover Surface tools linkLists: - linkListType: how-to-guide links: - - text: Surface Dock Firmware Update - url: surface-dock-firmware-update.md - text: Surface Diagnostic Toolkit for Business url: surface-diagnostic-toolkit-for-business-intro.md - text: SEMM and UEFI url: surface-enterprise-management-mode.md - - text: Surface Brightness Control - url: microsoft-surface-brightness-control.md - text: Battery Limit setting url: battery-limit.md - # Card - - title: Support and community + # Card + - title: Browse support solutions linkLists: - linkListType: learn links: - text: Top support solutions url: support-solutions-surface.md - - text: Maximize your Surface battery life - url: https://support.microsoft.com/help/4483194/maximize-surface-battery-life + - text: Protecting your data during Surface repair or service + url: https://support.microsoft.com/help/4023508/surface-faq-protecting-your-data-service - text: Troubleshoot Surface Dock and docking stations url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations - - linkListType: reference + +# Card + - title: Participate in Surface Community + linkLists: + - linkListType: learn links: - text: Surface IT Pro blog url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro - text: Surface Devices Tech Community url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices + - text: Microsoft Mechanics Surface videos + url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ diff --git a/devices/surface/images/enable-bl.png b/devices/surface/images/enable-bl.png index a99cb994fb..b1f7cff7f6 100644 Binary files a/devices/surface/images/enable-bl.png and b/devices/surface/images/enable-bl.png differ diff --git a/devices/surface/images/go-batterylimit.png b/devices/surface/images/go-batterylimit.png new file mode 100644 index 0000000000..893e78ea9f Binary files /dev/null and b/devices/surface/images/go-batterylimit.png differ diff --git a/devices/surface/images/graphics-settings2.png b/devices/surface/images/graphics-settings2.png new file mode 100644 index 0000000000..3ee5235962 Binary files /dev/null and b/devices/surface/images/graphics-settings2.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-1.png b/devices/surface/images/manage-surface-driver-updates-1.png new file mode 100644 index 0000000000..58cec90ea0 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-1.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-2.png b/devices/surface/images/manage-surface-driver-updates-2.png new file mode 100644 index 0000000000..26bcfcda74 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-2.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-3.png b/devices/surface/images/manage-surface-driver-updates-3.png new file mode 100644 index 0000000000..e1dafd7f15 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-3.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-4.png b/devices/surface/images/manage-surface-driver-updates-4.png new file mode 100644 index 0000000000..5e6e4cafb4 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-4.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-1.png b/devices/surface/images/secure-surface-dock-ports-semm-1.png new file mode 100644 index 0000000000..d1eeafaf12 Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-1.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-2.png b/devices/surface/images/secure-surface-dock-ports-semm-2.png new file mode 100644 index 0000000000..db8de73dbf Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-2.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-3.png b/devices/surface/images/secure-surface-dock-ports-semm-3.png new file mode 100644 index 0000000000..c9cf60aad3 Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-3.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-4.png b/devices/surface/images/secure-surface-dock-ports-semm-4.png new file mode 100644 index 0000000000..0b19c52652 Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-4.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-5.png b/devices/surface/images/secure-surface-dock-ports-semm-5.png new file mode 100644 index 0000000000..0d4c7df937 Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-5.png differ diff --git a/devices/surface/images/secure-surface-dock-ports-semm-6.png b/devices/surface/images/secure-surface-dock-ports-semm-6.png new file mode 100644 index 0000000000..c5f6c3ca1f Binary files /dev/null and b/devices/surface/images/secure-surface-dock-ports-semm-6.png differ diff --git a/devices/surface/images/surface-deployment-accelerator.png b/devices/surface/images/surface-deployment-accelerator.png new file mode 100644 index 0000000000..1886a08227 Binary files /dev/null and b/devices/surface/images/surface-deployment-accelerator.png differ diff --git a/devices/surface/images/surface-dock2.png b/devices/surface/images/surface-dock2.png new file mode 100644 index 0000000000..410bcd1df7 Binary files /dev/null and b/devices/surface/images/surface-dock2.png differ diff --git a/devices/surface/images/surface-semm-enroll-fig3.jpg b/devices/surface/images/surface-semm-enroll-fig3.jpg new file mode 100644 index 0000000000..bdbc3dfd4f Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig3.jpg differ diff --git a/devices/surface/images/systeminfodma.png b/devices/surface/images/systeminfodma.png new file mode 100644 index 0000000000..46c86e9dd6 Binary files /dev/null and b/devices/surface/images/systeminfodma.png differ diff --git a/devices/surface/index.yml b/devices/surface/index.yml index 29bd13e5da..b173beeed8 100644 --- a/devices/surface/index.yml +++ b/devices/surface/index.yml @@ -24,17 +24,13 @@ additionalContent: - title: For IT Professionals # < 60 chars (optional) items: # Card - - title: Surface devices + - title: Surface devices documentation summary: Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization. url: https://docs.microsoft.com/en-us/surface/get-started # Card - - title: Surface Hub - summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices. - url: https://docs.microsoft.com/surface-hub/index - # Card - - title: Surface for Business - summary: Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies. - url: https://www.microsoft.com/surface/business + - title: Surface Hub documentation + summary: Learn how to deploy and manage Surface Hub 2S, the all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device. + url: https://docs.microsoft.com/surface-hub/index - title: Other resources # < 60 chars (optional) items: # Card @@ -49,10 +45,11 @@ additionalContent: links: - text: Surface training on Microsoft Learn url: https://docs.microsoft.com/learn/browse/?term=Surface + - text: Surface Hub 2S adoption guidance + url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit - text: Microsoft Mechanics Surface videos url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ - - text: Surface Hub 2S adoption and training - url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit + # Card - title: Need help? links: @@ -60,3 +57,5 @@ additionalContent: url: https://support.microsoft.com/products/surface-devices - text: Surface Hub url: https://support.microsoft.com/hub/4343507/surface-hub-help + - text: Contact Surface Hub Support + url: https://support.microsoft.com/supportforbusiness/productselection?sapId=bb7066fb-e329-c1c0-9c13-8e9949c6a64e diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index 9d47e34bb2..17e6d48fb1 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -6,10 +6,10 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index 3760d85a4d..e7c739be75 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -5,10 +5,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro ms.date: 10/28/2019 diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md index 827d2c64c5..a1eea22998 100644 --- a/devices/surface/manage-surface-driver-and-firmware-updates.md +++ b/devices/surface/manage-surface-driver-and-firmware-updates.md @@ -3,7 +3,7 @@ title: Manage and deploy Surface driver and firmware updates description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices. ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB ms.localizationpriority: medium ms.prod: w10 @@ -11,18 +11,18 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- # Manage and deploy Surface driver and firmware updates - + How you manage Surface driver and firmware updates varies depending on your environment and organizational requirements. On Surface devices, firmware is exposed to the operating system as a driver and is visible in Device Manager, enabling device firmware and drivers to be automatically updated using Windows Update or Windows Update for Business. Although this simplified approach may be feasible for startups and small or medium-sized businesses, larger organizations typically need IT admins to distribute updates internally. This may involve comprehensive planning, application compatibility testing, piloting and validating updates, before final approval and distribution across the network. > [!NOTE] > This article is intended for technical support agents and IT professionals and applies to Surface devices only. If you're looking for help to install Surface updates or firmware on a home device, see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505). - + While enterprise-grade software distribution solutions continue to evolve, the business rationale for centrally managing updates remains the same: Maintain the security of Surface devices and keep them updated with the latest operating system and feature improvements. This is essential for sustaining a stable production environment and ensuring users aren't blocked from being productive. This article provides an overview of recommended tools and processes for larger organizations to accomplish these goals. ## Central update management in commercial environments @@ -32,18 +32,17 @@ Microsoft has streamlined tools for managing devices – including driver and fi ### Manage updates with Configuration Manager and Intune Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed, and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. - + For detailed steps, see the following resources: -- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager) -- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). +- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager.md) +- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications) - [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/) - ### Manage updates with Microsoft Deployment Toolkit Included in Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. These include the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). - + For detailed steps, see the following resources: - [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) @@ -54,7 +53,6 @@ Surface driver and firmware updates are packaged as Windows Installer (*.msi) fi For instructions on how to deploy updates by using Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). - **WindowsPE and Surface firmware and drivers** Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase. @@ -65,13 +63,12 @@ Starting in Endpoint Configuration Manager, you can synchronize and deploy Micro ## Supported devices -Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. - +Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. ## Managing firmware with DFCI With Device Firmware Configuration Interface (DFCI) profiles built into Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For more information, see: - + - [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). @@ -93,7 +90,6 @@ Specific versions of Windows 10 have separate .msi files, each containing all re - Management engine (ME) - Unified extensible firmware interface (UEFI) - ### Downloading .msi files 1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center. @@ -102,8 +98,7 @@ Specific versions of Windows 10 have separate .msi files, each containing all re ![Figure 1. Downloading Surface updates](images/fig1-downloads-msi.png) *Figure 1. Downloading Surface updates* - - + ### Surface .msi naming convention Since August 2019, .msi files have used the following naming convention: @@ -120,14 +115,15 @@ This file name provides the following information: - **Windows release:** Win10 - **Build:** 18362 - **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows: - - **Year:** 19 (2019) - - **Month and week:** 073 (third week of July) - - **Minute of the month:** 44195 + - **Year:** 19 (2019) + - **Month and week:** 073 (third week of July) + - **Minute of the month:** 44195 - **Revision of version:** 0 (first release of this version) ### Legacy Surface .msi naming convention + Legacy .msi files (files built before August 2019) followed the same overall naming formula but used a different method to derive the version number. - **** + **Example** - SurfacePro6_Win10_16299_1900307_0.msi @@ -138,13 +134,11 @@ This file name provides the following information: - **Windows release:** Win10 - **Build:** 16299 - **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows: - - **Year:** 19 (2019) - - **Number of release:** 003 (third release of the year) - - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro) + - **Year:** 19 (2019) + - **Number of release:** 003 (third release of the year) + - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro) - **Revision of version:** 0 (first release of this version) - - ## Learn more - [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) @@ -157,4 +151,3 @@ This file name provides the following information: - [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). - [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) - diff --git a/devices/surface/manage-surface-driver-updates-configuration-manager.md b/devices/surface/manage-surface-driver-updates-configuration-manager.md new file mode 100644 index 0000000000..a6fc726ee7 --- /dev/null +++ b/devices/surface/manage-surface-driver-updates-configuration-manager.md @@ -0,0 +1,181 @@ +--- +title: Manage Surface driver updates in Configuration Manager +description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices. +ms.assetid: b64879c4-37eb-4fcf-a000-e05cbb3d26ea +ms.reviewer: +author: v-miegge +manager: laurawi +keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB +ms.localizationpriority: medium +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: coveminer +ms.author: daclark +ms.topic: article +audience: itpro +--- + +# Manage Surface driver updates in Configuration Manager + +## Summary + +Starting in [Microsoft System Center Configuration Manager version 1710](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1710#software-updates), you can synchronize and deploy Microsoft Surface firmware and driver updates directly through the Configuration Manager client. The process resembles deploying regular updates. However, some additional configurations are required to get the Surface driver updates into your catalog. + +## Prerequisites + +To manage Surface driver updates, the following prerequisites must be met: + +- You must use Configuration Manager version 1710 or a later version. +- All Software Update Points (SUPs) must run Windows Server 2016 or a later version. Otherwise, Configuration Manager ignores this setting and Surface drivers won't be synchronized. + +> [!NOTE] +> If your environment doesn’t meet the prerequisites, refer to the [alternative methods](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager#1) to deploy Surface driver and firmware updates in the [FAQ](#frequently-asked-questions-faq) section. + +## Useful log files + +The following logs are especially useful when you manage Surface driver updates. + +|Log name|Description| +|---|---| +|WCM.log|Records details about the software update point configuration and connections to the WSUS server for subscribed update categories, classifications, and languages.| +|WsyncMgr.log|Records details about the software updates sync process.| + +These logs are located on the site server that manages the SUP, or on the SUP itself if it's installed directly on a site server. +For a complete list of Configuration Manager logs, see [Log files in System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/log-files). + +## Enabling Surface driver updates management + +To enable Surface driver updates management in Configuration Manager, follow these steps: + +1. In the Configuration Manager console, go to **Administration** > **Overview** > **Site Configuration** > **Sites**. +1. Select the site that contains the top-level SUP server for your environment. +1. On the ribbon, select **Configure Site Components**, and then select **Software Update Point**. Or, right-click the site, and then select **Configure Site Components** > **Software Update Point**. +1. On the **Classifications** tab, select the **Include Microsoft Surface drivers and firmware updates** check box. + + ![Software Update Point Component Properties](images/manage-surface-driver-updates-1.png) + +1. When you're prompted by the following warning message, select **OK**. + + ![Configuration Manager](images/manage-surface-driver-updates-2.png) + +1. On the Products tab, select the products that you want to update, and then select **OK**. + + Most drivers belong to the following product groups: + + - Windows 10 and later version drivers + - Windows 10 and later Upgrade & Servicing Drivers + - Windows 10 Anniversary Update and Later Servicing Drivers + - Windows 10 Anniversary Update and Later Upgrade & Servicing Drivers + - Windows 10 Creators Update and Later Servicing Drivers + - Windows 10 Creators Update and Later Upgrade & Servicing Drivers + - Windows 10 Fall Creators Update and Later Servicing Drivers + - Windows 10 Fall Creators Update and Later Upgrade & Servicing Drivers + - Windows 10 S and Later Servicing Drivers + - Windows 10 S Version 1709 and Later Servicing Drivers for testing + - Windows 10 S Version 1709 and Later Upgrade & Servicing Drivers for testing + + > [!NOTE] + > Most Surface drivers belong to multiple Windows 10 product groups. You may not have to select all the products that are listed here. To help reduce the number of products that populate your Update Catalog, we recommend that you select only the products that are required by your environment for synchronization. + +## Verifying the configuration + +To verify that the SUP is configured correctly, follow these steps: + +1. Open WsyncMgr.log, and then look for the following entry: + + ```console + Surface Drivers can be supported in this hierarchy since all SUPs are on Windows Server 2016, WCM SCF property Sync Catalog Drivers is set. + + Sync Catalog Drivers SCF value is set to : 1 + ``` + + If either of the following entries is logged in WsyncMgr.log, recheck step 4 in the previous section: + + ```console + Sync Surface Drivers option is not set + + Sync Catalog Drivers SCF value is set to : 0 + ``` + +1. Open WCM.log, and then look for an entry that resembles the following: + + ![WCM.log settings](images/manage-surface-driver-updates-3.png) + + This entry is an XML element that lists every product group and classification that's currently synchronized by your SUP server. For example, you might see an entry that resembles the following: + + ```xml + + + + + + ``` + + If you can't find the products that you selected in step 6 in the previous section, double-check whether the SUP settings are saved. + + You can also wait until the next synchronization finishes, and then check whether the Surface driver and firmware updates are listed in Software Updates in the Configuration Manager console. For example, the console might display the following information: + + ![All Software Updates Search Results](images/manage-surface-driver-updates-4.png) + +## Manual synchronization + +If you don't want to wait until the next synchronization, follow these steps to start a synchronization: + +1. In the Configuration Manager console, go to **Software Library** > **Overview** > **Software Updates** > **All Software Updates**. +1. On the ribbon, select **Synchronize Software Updates**. Or, right-click **All Software Update**, and then select **Synchronize Software Update**. +1. Monitor the synchronization progress by looking for the following entries in WsyncMgr.log: + + ```console + Surface Drivers can be supported in this hierarchy since all SUPs are on Windows Server 2016, WCM SCF property Sync Catalog Drivers is set. + + sync: SMS synchronizing categories + sync: SMS synchronizing categories, processed 0 out of 311 items (0%) + sync: SMS synchronizing categories, processed 311 out of 311 items (100%) + sync: SMS synchronizing categories, processed 311 out of 311 items (100%) + sync: SMS synchronizing updates + + Synchronizing update 7eaa0148-c42b-45fd-a1ab-012c82972de6 - Microsoft driver update for Surface Type Cover Integration + Synchronizing update 2dcb07f8-37ec-41ef-8cd5-030bf24dc1d8 - Surface driver update for Surface Pen Pairing + Synchronizing update 63067414-ae52-422b-b3d1-0382a4d6519a - Surface driver update for Surface UEFI + Synchronizing update 8e4e3a41-a784-4dd7-9a42-041f43ddb775 - Surface driver update for Surface Integration + Synchronizing update 7f8baee8-419f-47e2-918a-045a15a188e7 - Microsoft driver update for Surface DTX + Synchronizing update aed66e05-719b-48cd-a0e7-059e50f67fdc - Microsoft driver update for Surface Base Firmware Update + Synchronizing update 8ffe1526-6e66-43cc-86e3-05ad92a24e3a - Surface driver update for Surface UEFI + Synchronizing update 74102899-0a49-48cf-97e6-05bde18a27ff - Microsoft driver update for Surface UEFI + ``` + +## Deploying Surface firmware and driver updates + +You can deploy Surface firmware and driver updates in the same manner as you deploy other updates. + +For more information about deployment, see [System Center 2012 Configuration Manager–Part7: Software Updates (Deploy)](https://blogs.technet.microsoft.com/elie/2012/05/25/system-center-2012-configuration-managerpart7-software-updates-deploy/). + +## Frequently asked questions (FAQ) + +**After I follow the steps in this article, my Surface drivers are still not synchronized. Why?** + +If you synchronize from an upstream Windows Server Update Services (WSUS) server, instead of Microsoft Update, make sure that the upstream WSUS server is configured to support and synchronize Surface driver updates. All downstream servers are limited to updates that are present in the upstream WSUS server database. + +There are more than 68,000 updates that are classified as drivers in WSUS. To prevent non-Surface related drivers from synchronizing to Configuration Manager, Microsoft filters driver synchronization against an allow list. After the new allow list is published and incorporated into Configuration Manager, the new drivers are added to the console following the next synchronization. Microsoft aims to get the Surface drivers added to the allow list each month in line with Patch Tuesday to make them available for synchronization to Configuration Manager. + +If your Configuration Manager environment is offline, a new allow list is imported every time you import [servicing updates](https://docs.microsoft.com/mem/configmgr/core/servers/manage/use-the-service-connection-tool) to Configuration Manager. You will also have to import a [new WSUS catalog](https://docs.microsoft.com/mem/configmgr/sum/get-started/synchronize-software-updates-disconnected) that contains the drivers before the updates are displayed in the Configuration Manager console. Because a stand-alone WSUS environment contains more drivers than a Configuration Manager SUP, we recommend that you establish a Configuration Manager environment that has online capabilities, and that you configure it to synchronize Surface drivers. This provides a smaller WSUS export that closely resembles the offline environment. + +If your Configuration Manager environment is online and able to detect new updates, you will receive updates to the list automatically. If you don’t see the expected drivers, please review the WCM.log and WsyncMgr.log for any synchronization failures. + +**My Configuration Manager environment is offline, can I manually import Surface drivers into WSUS?** + +No. Even if the update is imported into WSUS, the update won't be imported into the Configuration Manager console for deployment if it isn't listed in the allow list. You must use the [Service Connection Tool](https://docs.microsoft.com/mem/configmgr/core/servers/manage/use-the-service-connection-tool) to import servicing updates to Configuration Manager to update the allow list. + +**What alternative methods do I have to deploy Surface driver and firmware updates?** + +For information about how to deploy Surface driver and firmware updates through alternative channels, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates). If you want to download the .msi or .exe file, and then deploy through traditional software deployment channels, see [Keeping Surface Firmware Updated with Configuration Manager](https://docs.microsoft.com/archive/blogs/thejoncallahan/keeping-surface-firmware-updated-with-configuration-manager). + +## Additional Information + +For more information about Surface driver and firmware updates, see the following articles: + +- [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) +- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates) +- [Considerations for Surface and System Center Configuration Manager](https://docs.microsoft.com/surface/considerations-for-surface-and-system-center-configuration-manager) diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index 224cc16744..f56bcb55d1 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -8,10 +8,10 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices, surface author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi --- # Manage Surface UEFI settings diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 84ef8a1b9f..2bb2c8a956 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -6,10 +6,10 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 4ee475b184..1ad32d8518 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -3,7 +3,7 @@ title: Microsoft Surface Data Eraser (Surface) description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10 ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium keywords: tool, USB, data, erase ms.prod: w10 @@ -11,9 +11,10 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article -ms.audience: itpro +audience: itpro +ms.date: 05/11/2020 --- # Microsoft Surface Data Eraser @@ -28,6 +29,8 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d Compatible Surface devices include: +* Surface Book 3 +* Surface Go 2 * Surface Pro 7 * Surface Pro X * Surface Laptop 3 @@ -164,6 +167,14 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### 3.30.139 +*Release Date: 11 May 2020* + +This version of Surface Data Eraser adds support for: +- Surface Book 3 +- Surface Go 2 +- New SSD in Surface Go + ### 3.28.137 *Release Date: 11 Nov 2019* This version of Surface Data Eraser: diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index e60688692b..4a2b2a806c 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -3,7 +3,7 @@ title: Microsoft Surface Deployment Accelerator (Surface) description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4 ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium keywords: deploy, install, tool ms.prod: w10 @@ -11,134 +11,33 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro +ms.date: 5/08/2020 --- # Microsoft Surface Deployment Accelerator -Microsoft Surface Deployment Accelerator (SDA) automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. +Microsoft Surface Deployment Accelerator (SDA) automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. -> [!NOTE] -> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). +Redesigned in April 2020 to simplify and automate deployment of Surface images in a corporate environment, the +SDA tool allows you to build a “factory-like” Windows image that you can customize to your organizational requirements. -SDA is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution. +The open source, script-driven SDA tool leverages the Windows Assessment and Deployment Kit (ADK) for Windows 10, facilitating the creation of Windows images (WIM) in test or production environments. If the latest ADK is not already installed, it will be downloaded and installed when running the SDA tool. -**Download Microsoft Surface Deployment Accelerator** +The resulting image closely matches the configuration of Bare Metal Recovery (BMR) images, without any pre-installed applications such as Microsoft Office or the Surface UWP application. -You can download the installation files for SDA from the Microsoft Download Center. To download the installation files: +**To run SDA:** -1. Go to the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page on the Microsoft Download Center. +1. Go to [SurfaceDeploymentAccelerator](https://github.com/microsoft/SurfaceDeploymentAccelerator) on GitHub. +2. Select **Clone or Download** and review the Readme file. +3. Edit the script with the appropriate variables for your environment, as documented in the Readme, and review before running it in your test environment. -2. Click the **Download** button, select the **Surface\_Deployment\_Accelerator\_xxxx.msi** file, and then click **Next**. + ![Running Surface Deployment Accelerator tool](images/surface-deployment-accelerator.png) -## Microsoft Surface Deployment Accelerator prerequisites - - -Before you install SDA, your environment must meet the following prerequisites: - -- SDA must be installed on Windows Server 2012 R2 or later - -- PowerShell Script Execution Policy must be set to **Unrestricted** - -- DHCP and DNS must be enabled on the network where the Windows Server 2012 R2 environment is connected - -- To download Surface drivers and apps automatically the Windows Server 2012 R2 environment must have Internet access and Internet Explorer Enhanced Security Configuration must be disabled - -- To support network boot, the Windows Server 2012 R2 environment must have Windows Deployment Services installed and configured to respond to PXE requests - -- Access to Windows source files or installation media is required when you prepare a deployment with SDA - -- At least 6 GB of free space for each version of Windows you intend to deploy - -## How Microsoft Surface Deployment Accelerator works - - -As you progress through the SDA wizard, you will be asked some basic questions about how your deployment solution should be configured. As you select the desired Surface models to be supported and apps to be installed (see Figure 1), the wizard will prepare scripts that download, install, and configure everything needed to perform a complete deployment and capture of a reference image. By using the network boot (PXE) capabilities of Windows Deployment Services (WDS), the resulting solution enables you to boot a Surface device from the network and perform a clean deployment of Windows. - -![Software and driver selection window](images/sda-fig1-select-steps.png "Software and driver selection window") - -*Figure 1. Select desired apps and drivers* - -When the SDA completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the SDA wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device. - -You can modify the task sequence in the MDT Deployment Workbench to [include your own apps](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt#sec04), or to [pause the automated installation routine](https://blogs.technet.microsoft.com/mniehaus/2009/06/26/mdt-2010-new-feature-3-suspend-and-resume-a-lite-touch-task-sequence/). While the installation is paused, you can make changes to customize your reference image. After the image is captured, you can configure a deployment task sequence and distribute this custom configuration by using the same network boot capabilities as before. - ->[!NOTE] ->With SDA v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment. - -  - -## Use Microsoft Surface Deployment Accelerator without an Internet connection - - -For environments where the SDA server will not be able to connect to the Internet, the required Surface files can be downloaded separately. To specify a local source for Surface driver and app files, select the **Copy from a local directory** option and specify the location of your downloaded files (see Figure 2). All of the driver and app files for your selected choices must be placed in the specified folder. - -![Specify a local source for Surface driver and app files](images/sda-fig2-specify-local.png "Specify a local source for Surface driver and app files") - -*Figure 2. Specify a local source for Surface driver and app files* - -You can find a full list of available driver downloads at [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) - ->[!NOTE] ->Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder. - ->[!NOTE] ->Using files from a local directory is not supported when including Office 365 in your deployment share. To include Office 365 in your deployment share, select the **Download from the Internet** check box. - -## Changes and updates - -SDA is periodically updated by Microsoft. For instructions on how these features are used, see [Step-by-Step: Microsoft Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator). - ->[!NOTE] ->To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share. - -### Version 2.8.136.0 -This version of SDA supports deployment of the following: -* Surface Book 2 -* Surface Laptop -* Surface Pro LTE - -### Version 2.0.8.0 -This version of SDA supports deployment of the following: -* Surface Pro - ->[!NOTE] ->SDA version 2.0.8.0 includes support only for Surface Pro, and does not support other Surface devices such as Surface Pro 4 or Surface Book. To deploy these devices, please continue to use SDA version 1.96.0405. -  -### Version 1.96.0405 -This version of SDA adds support for the following: -* Microsoft Deployment Toolkit (MDT) 2013 Update 2 -* Office 365 Click-to-Run -* Surface 3 and Surface 3 LTE -* Reduced Windows Assessment and Deployment Kit (Windows ADK) footprint, only the following Windows ADK components are installed: - * Deployment tools - * Windows Preinstallation Environment (WinPE) - * User State Migration Tool (USMT) - -### Version 1.90.0258 -This version of SDA adds support for the following: -* Surface Book -* Surface Pro 4 -* Windows 10 - -### Version 1.90.0000 -This version of SDA adds support for the following: -* Local driver and app files can be used to create a deployment share without access to the Internet - -### Version 1.70.0000 -This version is the original release of SDA. This version of SDA includes support for: -* MDT 2013 Update 1 -* Windows ADK -* Surface Pro 3 -* Windows 8.1 - - -## Related topics - -[Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) - -[Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) +## Related links + - [Open source image deployment tool released on GitHub](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/open-source-image-deployment-tool-released-on-github/ba-p/1314115) + - [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) diff --git a/devices/surface/secure-surface-dock-ports-semm.md b/devices/surface/secure-surface-dock-ports-semm.md new file mode 100644 index 0000000000..266f6d92cf --- /dev/null +++ b/devices/surface/secure-surface-dock-ports-semm.md @@ -0,0 +1,168 @@ +--- +title: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM) +description: This document provides guidance for configuring UEFI port settings for Surface Dock 2 when connected to compatible Surface devices including Surface Book 3, Surface Laptop 3, and Surface Pro 7. +ms.assetid: 2808a8be-e2d4-4cb6-bd53-9d10c0d3e1d6 +ms.reviewer: +manager: laurawi +keywords: Troubleshoot common problems, setup issues +ms.prod: w10 +ms.mktglfcycl: support +ms.sitesec: library +ms.pagetype: surfacehub +author: v-miegge +ms.author: jesko +ms.topic: article +ms.date: 06/08/2020 +ms.localizationpriority: medium +ms.audience: itpro +--- + +# Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM) + +## Introduction + +Surface Enterprise Management Mode (SEMM) enables IT admins to secure and manage Surface Dock 2 ports by configuring UEFI settings in a Windows installer configuration package (.MSI file) deployed to compatible Surface devices across a corporate environment. + +### Supported devices + +Managing Surface Dock 2 with SEMM is available for docks connected to Surface Book 3, Surface Laptop 3, and Surface Pro 7. These compatible Surface devices are commonly referred to as **host devices**. A package is applied to host devices based on if a host device is **authenticated** or **unauthenticated**. Configured settings reside in the UEFI layer on host devices enabling you — the IT admin — to manage Surface Dock 2 just like any other built-in peripheral such as the camera. + +>[!NOTE] +>You can manage Surface Dock 2 ports only when the dock is connected to one of the following compatible devices: Surface Book 3, Surface Laptop 3, and Surface Pro 7. Any device that doesn't receive the UEFI Authenticated policy settings is inherently an unauthenticated device. + +### Scenarios + +Restricting Surface Dock 2 to authorized persons signed into a corporate host device provides another layer of data protection. This ability to lock down Surface Dock 2 is critical for specific customers in highly secure environments who want the functionality and productivity benefits of the dock while maintaining compliance with strict security protocols. We anticipate SEMM used with Surface Dock 2 will be particularly useful in open offices and shared spaces especially for customers who want to lock USB ports for security reasons. For a video demo, check out [SEMM for Surface Dock 2](https://youtu.be/VLV19ISvq_s). + +## Configuring and deploying UEFI settings for Surface Dock 2 + +This section provides step-by-step guidance for the following tasks: + +1. Install [**Surface UEFI Configurator**](https://www.microsoft.com/download/details.aspx?id=46703). +1. Create or obtain public key certificates. +1. Create an .MSI configuration package. + 1. Add your certificates. + 1. Enter the 16-digit RN number for your Surface Dock 2 devices. + 1. Configure UEFI settings. +1. Build and apply the configuration package to targeted Surface devices (Surface Book 3, Surface Laptop 3, or Surface Pro 7.) + +>[!NOTE] +>The **Random Number (RN)** is a unique 16-digit hex code identifier which is provisioned at the factory, and printed in small type on the underside of the dock. The RN differs from most serial numbers in that it can't be read electronically. This ensures proof of ownership is primarily established only by reading the RN when physically accessing the device. The RN may also be obtained during the purchase transaction and is recorded in Microsoft inventory systems. + +### Install SEMM and Surface UEFI Configurator + +Install SEMM by running **SurfaceUEFI_Configurator_v2.71.139.0.msi**. This is a standalone installer and contains everything you need to create and distribute configuration packages for Surface Dock 2. + +- Download **Surface UEFI Configurator** from [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703). + +## Create public key certificates + +This section provides specifications for creating the certificates needed to manage ports for Surface Dock 2. + +### Prerequisites + +This article assumes that you either obtain certificates from a third-party provider or you already have expertise in PKI certificate services and know how to create your own. You should be familiar with and follow the general recommendations for creating certificates as described in [Surface Enterprise Management Mode (SEMM)](https://docs.microsoft.com/surface/surface-enterprise-management-mode) documentation, with one exception. The certificates documented on this page require expiration terms of 30 years for the **Dock Certificate Authority**, and 20 years for the **Host Authentication Certificate**. + +For more information, see [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture) documentation and review the appropriate chapters in [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277), or [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788) available from Microsoft Press. + +### Root and host certificate requirements + +Prior to creating the configuration package, you need to prepare public key certificates that authenticate ownership of Surface Dock 2 and facilitate any subsequent changes in ownership during the device lifecycle. The host and provisioning certificates require entering EKU IDs otherwise known as **Client Authentication Enhanced Key Usage (EKU) object identifiers (OIDs)**. + +The required EKU values are listed in Table 1 and Table 2. + +#### Table 1. Root and Dock Certificate requirements + +|Certificate|Algorithm|Description|Expiration|EKU OID| +|---|---|---|---|---| +|Root Certificate Authority|ECDSA_P384|- Root certificate with 384-bit prime elliptic curve digital signature algorithm (ECDSA)
- SHA 256 Key Usage:
CERT_DIGITAL_SIGNATURE_KEY_USAGE
- CERT_KEY_CERT_SIGN_KEY_USAGE
CERT_CRL_SIGN_KEY_USAGE|30 years|N/A +|Dock Certificate Authority|ECC P256 curve|- Host certificate with 256-bit elliptic-curve cryptography (ECC)
- SHA 256 Key Usage:
CERT_KEY_CERT_SIGN_KEY_USAGE
- Path Length Constraint = 0|20 years|1.3.6.1.4.1.311.76.9.21.2
1.3.6.1.4.1.311.76.9.21.3| + + >[!NOTE] + >The dock CA must be exported as a .p7b file. + +### Provisioning Administration Certificate requirements + +Each host device must have the doc CA and two certificates as shown in Table 2. + +#### Table 2. Provisioning administration certificate requirements + +|Certificate|Algorithm|Description|EKU OID| +|---|---|---|---| +|Host authentication certificate|ECC P256
SHA 256|Proves the identity of the host device.|1.3.6.1.4.1.311.76.9.21.2| +|Provisioning administration certificate|ECC P256
SHA256|Enables you to change dock ownership and/or policy settings by allowing you to replace the CA that's currently installed on the dock.|1.3.6.1.4.1.311.76.9.21.3
1.3.6.1.4.1.311.76.9.21.4| + + >[!NOTE] + >The host authentication and provisioning certificates must be exported as .pfx files. + +### Create configuration package + +When you have obtained or created the certificates, you’re ready to build the MSI configuration package that will be applied to target Surface devices. + +1. Run Surface **UEFI Configurator**. + + ![Run Surface UEFI Configurator](images/secure-surface-dock-ports-semm-1.png) + +1. Select **Surface Dock**. + + ![Select Surface Dock](images/secure-surface-dock-ports-semm-2.png) + +1. On the certificate page, enter the appropriate **certificates**. + + ![enter the appropriate certificates](images/secure-surface-dock-ports-semm-3.png) + +1. Add appropriate dock RNs to the list. + + >[!NOTE] + >When creating a configuration package for multiple Surface Dock 2 devices, instead of entering each RN manually, you can use a .csv file that contains a list of RNs. + +1. Specify your policy settings for USB data, Ethernet, and Audio ports. UEFI Configurator lets you configure policy settings for authenticated users (Authenticated Policy) and unauthenticated users (Unauthenticated Policy). The following figure shows port access turned on for authenticated users and turned off for unauthenticated users. + + ![Choose which components you want to activate or deactivate.](images/secure-surface-dock-ports-semm-4.png) + + - Authenticated user refers to a Surface Device that has the appropriate certificates installed, as configured in the .MSI configuration package that you applied to target devices. It applies to any user authenticated user who signs into the device. + - Unauthenticated user refers to any other device. + - Select **Reset** to create a special “Reset” package that will remove any previous configuration package that the dock had accepted. + +1. Select **Build** to create the package as specified. + +### Apply the configuration package to a Surface Dock 2 + +1. Take the MSI file that the Surface UEFI Configurator generated and install it on a Surface host device. Compatible host devices are Surface Book 3, Surface Laptop 3, or Surface Pro 7. +1. Connect the host device to the Surface Dock 2. When you connect the dock UEFI policy settings are applied. + +## Verify managed state using the Surface App + +Once you have applied the configuration package, you can quickly verify the resultant policy state of the dock directly from the Surface App, installed by default on all Surface devices. If Surface App isn't present on the device, you can download and install it from the Microsoft Store. + +### Test scenario + +Objective: Configure policy settings to allow port access by authenticated users only. + +1. Turn on all ports for authenticated users and turn them off for unauthenticated users. + + ![Enabling ports for authenticated users](images/secure-surface-dock-ports-semm-4.png) + +1. Apply the configuration package to your target device and then connect Surface Dock 2. + +1. Open **Surface App** and select **Surface Dock** to view the resultant policy state of your Surface Dock. If the policy settings are applied, Surface App will indicate that ports are available. + + ![Surface app shows all ports are available for authenticated users](images/secure-surface-dock-ports-semm-5.png) + +1. Now you need to verify that the policy settings have successfully turned off all ports for unauthenticated users. Connect Surface Dock 2 to an unmanaged device, i.e., any Surface device outside the scope of management for the configuration package you created. + +1. Open **Surface App** and select **Surface Dock**. The resultant policy state will indicate ports are turned off. + + ![Surface app showing ports turned off for unauthenticated users ](images/secure-surface-dock-ports-semm-6.png) + +>[!NOTE] +>If you want to keep ownership of the device, but allow all users full access, you can make a new package with everything turned on. If you wish to completely remove the restrictions and ownership of the device (make it unmanaged), select **Reset** in Surface UEFI Configurator to create a package to apply to target devices. + +Congratulations. You have successfully managed Surface Dock 2 ports on targeted host devices. + +## Learn more + +- [Surface Enterprise Management Mode (SEMM) documentation](https://docs.microsoft.com/surface/surface-enterprise-management-mode) +- [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture) +- [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277) +- [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788) diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md deleted file mode 100644 index 42f641271c..0000000000 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ /dev/null @@ -1,410 +0,0 @@ ---- -title: Step by step Surface Deployment Accelerator (Surface) -description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. -ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032 -ms.reviewer: -manager: dansimp -ms.localizationpriority: medium -keywords: deploy, configure -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: surface, devices -ms.sitesec: library -author: coveminer -ms.author: v-jokai -ms.topic: article -ms.date: 10/31/2019 ---- - -# Step by step: Surface Deployment Accelerator - -This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. This article also contains instructions on how to perform these tasks without an Internet connection or without support for Windows Deployment Services network boot (PXE). - -> [!NOTE] -> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). - -## How to install Surface Deployment Accelerator - -For information about prerequisites and instructions for how to download and install SDA, see [Microsoft Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md). - -1. Download SDA, which is included in [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center. - -2. Run the SDA installation file, named **Surface\_Deployment\_Accelerator\_*xxxx*.msi**, where *xxxx* is the current version number. - -3. Accept the End User License Agreement (EULA) by selecting the check box, and then click **Install**, as shown in Figure 1. - - ![Surface Deployment Accelerator setup](images/sdasteps-fig1.png "Surface Deployment Accelerator setup") - - *Figure 1. SDA setup* - -4. Click **Finish** to complete the installation of SDA. - -The tool installs in the SDA program group, as shown in Figure 2. - -![SDA program group and icon](images/sdasteps-fig2.png "SDA program group and icon") - -*Figure 2. The SDA program group and icon* - ->[!NOTE] ->At this point, the tool has not yet prepared any deployment environment or downloaded any materials from the Internet. - -## Create a deployment share - -The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps. - ->[!NOTE] ->SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice. - -1. Open the SDA wizard by double-clicking the icon in the **Surface Deployment Accelerator** program group on the Start screen. - -2. On the **Welcome** page, click **Next** to continue. - -3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue. - - >[!NOTE] - >As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows: - > * Deployment tools - > * User State Migration Tool (USMT) - > * Windows Preinstallation Environment (WinPE) - - > [!NOTE] - > As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1. - -4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue. - -5. On the **Windows 10** page, to create a Windows 10 deployment share, select the **Would you like to support Windows 10** check box. Supply the following information before you click **Next** to continue: - - - **Configure Deployment Share for Windows 10** - - - **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3. - - - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**. - - - **Windows 10 Deployment Services** - - - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot. - - - **Windows 10 Source Files** - - - **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**. - - ![Specify Windows 10 deployment share options](images/sdasteps-fig3.png "Specify Windows 10 deployment share options") - - *Figure 3. Specify Windows 10 deployment share options* - -6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue. - - ![Firmware tool selection](images/sdasteps-fig4-select.png "Firmware tool selection") - - *Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers* - - >[!NOTE] - >You cannot select both Surface 3 and Surface 3 LTE models at the same time. - -7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes: - - - Download of Windows ADK - - - Installation of Windows ADK - - - Download of MDT - - - Installation of MDT - - - Download of Surface apps and drivers - - - Creation of the deployment share - - - Import of Windows installation files into the deployment share - - - Import of the apps and drivers into the deployment share - - - Creation of rules and task sequences for Windows deployment - - ![The installation progress window](images/sdasteps-fig5-installwindow.png "The installation progress window") - - *Figure 5. The Installation Progress window* - - ### Optional: Workaround for Webclient exception - - You may see this error message while installing the latest version of ADK or MDT: _An exception occurred during a WebClient request._ This is due to incompatibility between the Surface Deployment Accelerator (SDA) and Background Intelligent Transfer Service (BITS). To work around this issue, do the following. - - In the two PowerShell scripts: - - ```PowerShell - %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1 - %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1 - ``` - - Edit the $BITSTransfer variable in the input parameters to $False as shown below: - - ```PowerShell - Param( - [Parameter( - Position=0, - Mandatory=$False, - HelpMessage="Download via BITS bool true/false" - )] - [string]$BITSTransfer = $False - ) - ``` - -8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices. - - ### Optional: Create a deployment share without an Internet connection - - If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver and app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6. - - >[!NOTE] - >All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step. - - >[!NOTE] - >The driver and app files do not need to be extracted from the downloaded .zip files. - - >[!NOTE] - >Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files. - - ![Specify Surface driver and app files](images/sdasteps-fig6-specify-driver-app-files.png "Specify Surface driver and app files") - - *Figure 6. Specify the Surface driver and app files from a local path* - - >[!NOTE] - >The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later. - - ### Optional: Prepare offline USB media - - You can use USB media to perform an SDA deployment if your Surface device is unable to boot from the network. For example, if you do not have a Microsoft Surface Ethernet Adapter or Microsoft Surface dock to facilitate network boot (PXE boot). The USB drive produced by following these steps includes a complete copy of the SDA deployment share and can be run on a Surface device without a network connection. - - >[!NOTE] - >The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended. - - Before you can create bootable media files within the MDT Deployment Workbench or copy those files to a USB drive, you must first configure that USB drive to be bootable. Using [DiskPart](https://go.microsoft.com/fwlink/p/?LinkId=761073), create a partition, format the partition as FAT32, and set the partition to be active. To run DiskPart, open an administrative PowerShell or Command Prompt window, and then run the following sequence of commands, as shown in Figure 7: - - 1. **diskpart** – Opens DiskPart to manage disks and partitions. - - 2. **list disk** – Displays a list of the disks available in your system; use this list to identify the disk number that corresponds with your USB drive. - - 3. **sel disk 2** – Selects your USB drive; use the number that corresponds with the disk in your system. - - 4. **clean** – Removes all configuration from your USB drive. - - >[!WARNING] - >This step will remove all information from your drive. Verify that your USB drive does not contain any needed data before you perform the **clean** command. - - 5. **create part pri** – Creates a primary partition on the USB drive. - - 6. **format fs=fat32 quick** – Formats the partition with the FAT32 file system, performing a quick format. FAT32 is required to boot the device from UEFI systems like Surface devices. - - 7. **assign** – Assigns the next available drive letter to the newly created FAT32 volume. - - 8. **active** – Sets the partition to be active, which is required to boot the volume. - - 9. **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window. - - ![Use DiskPart to prepare a USB drive for boot](images/sdasteps-fig7-diskpart.png "Use DiskPart to prepare a USB drive for boot") - - *Figure 7. Use DiskPart to prepare a USB drive for boot* - - >[!NOTE] - >You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly. - - After you have prepared the USB drive for boot, the next step is to generate offline media from the SDA deployment share. To create this media, follow these steps: - - 1. Open the **Deployment Workbench** from the **Microsoft Deployment Toolkit** group on your Start screen. - - 2. Expand the **Deployment Shares** node and the **Microsoft Surface Deployment Accelerator** deployment share. - - 3. Expand the folder **Advanced Configuration** and select the **Media** folder. - -4. Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media Wizard. - - ![The Media folder of the SDA deployment share](images/sdasteps-fig8-mediafolder.png "The Media folder of the SDA deployment share") - - *Figure 8. The Media folder of the SDA deployment share* - - 5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**. - - ![Specify a location and selection profile for your offline media](images/sdasteps-fig9-location.png "Specify a location and selection profile for your offline media") - - *Figure 9. Specify a location and selection profile for your offline media* - - 6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media. - - 7. A **Progress** page is displayed while the media is created. - - 8. On the **Confirmation** page, click **Finish** to complete creation of the media. - - 9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10. - - ![Rules of the SDA deployment share](images/sdasteps-fig10-rules.png "Rules of the SDA deployment share") - - *Figure 10. Rules of the SDA deployment share* - - 10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text. - - 11. Click **OK** to close the **Microsoft Surface Deployment Accelerator** deployment share properties. - - 12. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab. - - 13. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+V** to paste the text you copied from the **Microsoft Surface Deployment Accelerator** deployment share rules. - - 14. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. - - 15. Press **Ctrl+A** to select all of the text in the window, and then press **Ctrl+C** to copy the text. - - 16. Close Bootstrap.ini and click **OK** in **Microsoft Surface Deployment Accelerator** deployment share properties to close the window. - - 17. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. - - 18. Press **Ctrl+A** to select all of the text in the window, then press **Ctrl+V** to paste the text from the SDA deployment share Bootstrap.ini file. - - 19. Delete the following lines from the Bootstrap.ini as shown in Figure 11, and then save the file: - - ```PowerShell - UserID= - UserDomain= - UserPassword= - DeployRoot=\\SDASERVER\SDAWin10 - UserID= - UserDomain= - UserPassword= - ``` - - ![The Bootstrap.ini file](images/sdasteps-fig11-bootstrap.ini.png "The Bootstrap.ini file") - - *Figure 11. The Bootstrap.ini file of MEDIA001* - - 20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window. - - 21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share. - - ![Select the Update Media Content option](images/sdasteps-fig12-updatemedia.png "Select the Update Media Content option") - - *Figure 12. Select the Update Media Content option* - - 22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.** - - The final step is to copy the offline media files to your USB drive. - - 1. In File Explorer, open the path you specified in Step 5, for example **E:\\SDAMedia**. - - 2. Copy all of the files from the Content folder to the root of the USB drive. - - Your USB drive is now configured as bootable offline media that contains all of the resources required to perform a deployment to a Surface device. - -## SDA task sequences - -The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 2 Lite Touch components](https://technet.microsoft.com/itpro/windows/deploy/mdt-2013-lite-touch-components). - -![Task sequences in the Deployment Workbench](images/sdasteps-fig13-taskseq.png "Task sequences in the Deployment Workbench") - -*Figure 13. Task sequences in the Deployment Workbench* - -### Deploy Microsoft Surface - -The **1 – Deploy Microsoft Surface** task sequence is used to perform a complete deployment of Windows to a Surface device. This task sequence is pre-configured by the SDA wizard and is ready to perform a deployment as soon as the wizard completes. Running this task sequence on a Surface device deploys the unaltered Windows image copied directly from the Windows installation media you specified in the SDA wizard, along with the Surface drivers for your device. The drivers for your Surface device will be automatically selected through the pre-configured deployment share rules. - -When you run the task sequence, you will be prompted to provide the following information: - -- A computer name - -- Your domain information and the credentials required to join the domain - -- A product key, if one is required - - >[!NOTE] - >If you are deploying the same version of Windows as the version that came on your device, no product key is required. - -- A time zone - -- An Administrator password - -The Surface apps you specified on the **Configure** page of the SDA wizard are automatically installed when you run this task sequence on a Surface device. - -### Create Windows reference image - -The **2 – Create Windows Reference Image** task sequence is used to perform a deployment to a virtual machine for the purpose of capturing an image complete with Windows Updates for use in a deployment to Surface devices. By installing Windows Updates in your reference image, you eliminate the need to download and install those updates on each deployed Surface device. The deployment process with an up-to-date image is significantly faster and more efficient than performing a deployment first and then installing Windows Updates on each device. - -Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations. - ->[!NOTE] ->Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and Microsoft Endpoint Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt). - -In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard. - -## Deployment to Surface devices - - -To perform a deployment from the SDA deployment share, follow this process on the Surface device: - -1. Boot the Surface device to MDT boot media for the SDA deployment share. You can do this over the network by using PXE boot, or from a USB drive as described in the [Optional: Prepare offline USB media](#optional) section of this article. - -2. Select the deployment share for the version of Windows you intend to deploy and enter your credentials when you are prompted. - -3. Select the task sequence you want to run, usually the **1 – Deploy Microsoft Surface** task sequence. - -4. Address the task sequence prompts to pick applications, supply a password, and so on. - -5. The task sequence performs the automated deployment using the options specified. - -### Boot the Surface device from the network - -To boot the Surface device from the network, the Microsoft Surface Deployment Accelerator wizard must have been run on a Windows Server 2012 R2 or later environment that was configured with the Windows Deployment Services (WDS). WDS must have been configured to respond to network boot (PXE boot) requests and the boot files must have been imported into WDS. The SDA wizard will import these file automatically if the **Import boot media into the local Windows Deployment Service** check box was selected on the page for the version of Windows you intend to deploy. - -To boot the Surface device from the network, you must also use a Microsoft Surface Ethernet Adapter or the Ethernet port on a Microsoft Surface Dock. Third-party Ethernet adapters are not supported for network boot (PXE boot). A keyboard is also required. Both the Microsoft Surface Type Cover and keyboards connected via USB to the device or dock are supported. - -To instruct your Surface device to boot from the network, start with the device powered off and follow these steps: - -1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the network. - -2. Press **Enter** when prompted by the dialog on the screen. This prompt indicates that your device has found the WDS PXE server over the network. - -3. If you have configured more than one deployment share on this device, you will be prompted to select between the boot images for each deployment share. For example, if you created both a Windows 10 and a Windows 8.1 deployment share, you will be prompted to choose between these two options. - -4. Enter the domain credentials that you use to log on to the server where SDA is installed when you are prompted, as shown in Figure 14. - - ![Prompt for credentials to the deployment share](images/sdasteps-fig14-credentials.png "Prompt for credentials to the deployment share") - - *Figure 14. The prompt for credentials to the deployment share* - -5. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process. - -### Alternatively boot the devices from the USB stick - -To boot a device from the USB stick: - -1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the USB drive. - -2. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process. - -### Run the Deploy Microsoft Surface task sequence - -To run the Deploy Microsoft Surface task sequence: - -1. On the **Task Sequence** page, select the **1 – Deploy Microsoft Surface** task sequence as shown in Figure 15, and then click **Next.** - - ![Select the task sequence](images/sdasteps-fig15-deploy.png "Select the task sequence") - - *Figure 15. Select the 1 – Deploy Microsoft Surface task sequence* - -2. On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**. - - ![Computer name and domain credentials](images/sdasteps-fig16-computername.png "Computer name and domain credentials") - - *Figure 16. Enter the computer name and domain information* - -3. On the **Product Key** page, keep the **No product key is required** check box selected if you are deploying the same version and edition of Windows to your Surface devices as they came with from the factory. If you are deploying a different version or edition of Windows to the device, such as Windows Enterprise, select the licensing option that is applicable to your scenario. - -4. On the **Locale and Time** page, select your desired **Language Settings** and **Time Zone**, and then click **Next.** - -5. On the **Administrator Password** page, type a password for the local Administrator account on the Surface device, and then click **Next.** - -6. On the **BitLocker** page, select the **Enable BitLocker** option along with your desired configuration of BitLocker protectors if you want to encrypt the device. Otherwise, keep the **Do not enable BitLocker for this computer** check box selected, and then click **Next.** - -7. On the **Ready** page, verify your selections and then click **Begin** to start the automated deployment to this device. The deployment will not require user interaction again. The Windows Deployment Wizard will close and an **Installation Progress** window is displayed to show progress of the task sequence as the image is applied and applications are installed (Figure 17). - - ![Installation progress window](images/sdasteps-fig17-installprogresswindow.png "Installation progress window") - - *Figure 17. The Installation Progress window* - -8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device. diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index 4fe99f1ebd..d9f0e6200d 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -1,16 +1,16 @@ --- -title: Top support solutions for Surface devices +title: Top support solutions for Surface devices in the enterprise description: Find top solutions for common issues using Surface devices in the enterprise. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A ms.reviewer: -manager: dansimp +manager: laurawi keywords: Troubleshoot common problems, setup issues ms.prod: w10 ms.mktglfcycl: support ms.sitesec: library ms.pagetype: surfacehub author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 09/26/2019 ms.localizationpriority: medium @@ -20,16 +20,36 @@ ms.audience: itpro # Top support solutions for Surface devices > [!Note] -> **Home users**: This article is only intended for use by IT professionals and technical support agents, and applies only to Surface devices. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices). +> **Home users**: This article is only intended for use by IT professionals and technical support agents, and applies only to Surface devices. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices). -Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated. For a complete listing of the update history, see [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) and [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined). +These are the Microsoft Support solutions for common issues you may experience using Surface devices in an enterprise. If your issue is not listed here, [contact Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection). +## Surface Drivers and Firmware -These are the top Microsoft Support solutions for common issues experienced when using Surface devices in an enterprise. +Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated. + +- [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) +- [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined) +- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482) +- [Deploy the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) +- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates) +- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906) + +## Surface Dock Issues + +- [Troubleshoot Surface Dock and docking stations](https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations) + +- [Troubleshoot connecting Surface to a second screen](https://support.microsoft.com/help/4023496) + +- [Microsoft Surface Dock Firmware Update](https://docs.microsoft.com/surface/surface-dock-updater) + +## Device cover or keyboard issues + +- [Troubleshoot your Surface Type Cover or keyboard](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-surface-keyboards) ## Screen cracked or scratched issues -- [Contact Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection) +- [Contact Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection) ## Surface Power or battery Issues @@ -41,29 +61,13 @@ These are the top Microsoft Support solutions for common issues experienced when - [Maximize your Surface battery life](https://support.microsoft.com/help/4483194) -## Device cover or keyboard issues +## Reset device -- [Troubleshoot your Surface Type Cover or keyboard](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-surface-keyboards) +- [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/help/4023512) -## Surface Dock Issues +- [FAQ: Protecting your data if you send your Surface in for Service](https://support.microsoft.com/help/4023508) -- [Troubleshoot Surface Dock and docking stations](https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations) - -- [Troubleshoot connecting Surface to a second screen](https://support.microsoft.com/help/4023496) - -- [Microsoft Surface Dock Firmware Update](https://docs.microsoft.com/surface/surface-dock-updater) - -## Surface Drivers and Firmware - -- [Surface Update History](https://support.microsoft.com/help/4036283) - -- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482) - -- [Deploy the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) - -- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates) - -- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906) +- [Microsoft Surface Data Eraser](https://docs.microsoft.com/surface/microsoft-surface-data-eraser) ## Deployment Issues @@ -72,11 +76,3 @@ These are the top Microsoft Support solutions for common issues experienced when - [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105) - [System SKU reference](https://docs.microsoft.com/surface/surface-system-sku-reference) - -## Reset device - -- [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/help/4023512) - -- [FAQ: Protecting your data if you send your Surface in for Service](https://support.microsoft.com/help/4023508) - -- [Microsoft Surface Data Eraser](https://docs.microsoft.com/surface/microsoft-surface-data-eraser) diff --git a/devices/surface/surface-book-gpu-overview.md b/devices/surface/surface-book-gpu-overview.md new file mode 100644 index 0000000000..337ae2daf6 --- /dev/null +++ b/devices/surface/surface-book-gpu-overview.md @@ -0,0 +1,166 @@ +--- +title: Surface Book 3 GPU technical overview +description: This article provides a technical evaluation of GPU capabilities across Surface Book 3 models. +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 5/06/2020 +ms.reviewer: brrecord +manager: laurawi +audience: itpro +--- +# Surface Book 3 GPU technical overview + +## Introduction + +Surface Book 3, the most powerful Surface laptop yet released, integrates fully modernized compute and graphics capabilities into its famous detachable form factor. Led by the quad-core 10th Gen Intel® Core™ i7 and NVIDIA® Quadro RTX™ 3000 graphical processing unit (GPU) on the 15-inch model, Surface Book 3 comes in a wide range of configurations for consumers, creative professionals, architects, engineers, and data scientists. This article explains the major differences between the GPU configurations across 13-inch and 15-inch models of Surface Book 3. + +A significant differentiator across Surface Book 3 models is the GPU configuration. In addition to the integrated Intel GPU built into all models, all but the entry-level, 13.5-inch core i5 device also feature a discrete NVIDIA GPU with Max-Q Design, which incorporates features that optimize energy efficiency for mobile form factors. + +Built into the keyboard base, the additional NVIDIA GPU provides advanced graphics rendering capabilities and comes in two primary configurations: GeForce® GTX® 1650/1660 Ti for consumers or creative professionals and Quadro RTX 3000 for creative professionals, engineers, and other business professionals who need advanced graphics or deep learning capabilities. This article also describes how to optimize app utilization of GPUs by specifying which apps should use the integrated iGPU versus the discrete NVIDIA GPU. + +## Surface Book 3 GPUs + +This section describes the integrated and discrete GPUs across Surface Book 3 models. For configuration details of all models, refer to [Appendix A: Surface Book 3 SKUs](#). + +### Intel Iris™ Plus Graphics + +The integrated GPU (iGPU) included on all Surface Book 3 models incorporates a wider graphics engine and a redesigned memory controller with support for LPDDR4X. Installed as the secondary GPU on most Surface Book 3 models, Intel Iris Plus Graphics functions as the singular GPU in the core i5, 13.5-inch model. Although nominally the entry level device in the Surface Book 3 line, it delivers advanced graphics capabilities enabling consumers, hobbyists, and online creators to run the latest productivity software like Adobe Creative Cloud or enjoy gaming titles in 1080p. + +### NVIDIA GeForce GTX 1650 + +NVIDIA GeForce GTX 1650 with Max-Q design delivers a major upgrade of the core streaming multiprocessor to more efficiently handle the complex graphics of modern games. Its +concurrent execution of floating point and integer operations boosts performance in compute-heavy workloads of modern games. A new unified memory architecture with twice the cache of its predecessor allows for better performance on complex modern games. New shading advancements improve performance, enhance image quality, and deliver new levels of geometric complexity. + +### NVIDIA GeForce GTX 1660 Ti + +Compared with the GeForce GTX 1650, the faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements and includes the new and upgraded NVIDIA Encoder, making it better for consumers, gamers, live streamers, and creative professionals. + +Thanks to 6 GB of GDDR6 graphics memory, Surface Book 3 models equipped with NVIDIA GeForce GTX 1660 TI provide superior speeds on advanced business productivity software and popular games especially when running the most modern titles or livestreaming. With an optional 2 TB SSD (available in U.S. only), the 15-inch model with GeForce GTX 1660 Ti delivers the most storage of any Surface Book 3 device. + +### NVIDIA Quadro RTX 3000 + +NVIDIA Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance. A combination of 30 RT cores, 240 tensor cores, and 6 GB of GDDR6 graphics memory enables multiple advanced workloads including Al-powered workflows, 3D content creation, advanced video editing, professional broadcasting, and multi-app workflows. Enterprise level hardware and software support integrate deployment tools to maximize uptime and minimize IT support requirements. Certified for the world’s most advanced software, Quadro drivers are optimized for professional applications, and are tuned, tested, and validated to provide app certification, enterprise level stability, reliability, availability, and support with extended product availability. + + +## Comparing GPUs across Surface Book 3 + +NVIDIA GPUs provide users with great performance for gaming, live streaming, and content creation. GeForce GTX products are great for gamers and content creators. Quadro RTX products are targeted at professional users, provide great performance in gaming and content creation, and also add the following features: + +- RTX acceleration for ray tracing and AI. This makes it possible to render film-quality, photorealistic objects and environments with physically accurate shadows, reflections and refractions. And its hardware accelerated AI capabilities means the advanced AI-based features in popular applications can run faster than ever before. +- Enterprise-level hardware, drivers and support, as well as ISV app certifications. +- IT management features including an additional layer of dedicated enterprise tools for remote management that help maximize uptime and minimize IT support requirements. + + Unless you count yourself among the ranks of advanced engineering, design, architecture, or data science professionals, Surface Book 3 equipped with NVIDIA GeForce graphics capabilities will likely meet your needs. Conversely, if you’re already in -- or aspiring to join -- a profession that requires highly advanced graphics capabilities in a portable form factor that lets you work from anywhere, Surface Book 3 with Quadro RTX 3000 deserves serious consideration. To learn more, refer to the Surface Book 3 Quadro RTX 3000 technical overview. + +**Table 1. Discrete GPUs on Surface Book 3** + +| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** | +| -------------------- | -------------------------------------- | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | +| **Target users** | Gamers, hobbyists and online creators | Gamers, creative professionals and online creators | Creative professionals, architects, engineers, developers, data scientists | +| **Workflows** | Graphic design
Photography
Video | Graphic design
Photography
Video | Al-powered Workflows
App certifications
High-res video
Pro broadcasting
Multi-app workflows | +| **Key apps** | Adobe Creative Suite | Adobe Creative Suite | Adobe Creative Suite
Autodesk AutoCAD
Dassault Systemes SolidWorks | +| **GPU acceleration** | Video and image processing | Video and image processing | Ray tracing + AI + 6K video
Pro broadcasting features
Enterprise support | + + + +**Table 2. GPU tech specs on Surface Book 3** + +| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** | +| -------------------------------------------------------- | -------------------- | ----------------------- | ------------------- | +| **NVIDIA CUDA processing cores** | 1024 | 1536 | 1920 | +| **NVIDIA Tensor Cores** | No | No | 240 | +| **NVIDIA RT Cores** | No | No | 30 | +| **GPU memory** | 4 GB | 6 GB | 6 GB | +| **Memory Bandwidth (GB/sec)** | Up to 112 | Up to 288 | Up to 288 | +| **Memory type** | GDDR5 | GDDR6 | GDDR6 | +| **Memory interface** | 128-bit | 192-bit | 192-bit | +| **Boost clock MHz** | 1245 | 1425 | 1305 | +| **Base clock (MHz)** | 1020 | 1245 | 765 | +| **Real-time ray tracing** | No | No | Yes | +| **AI hardware acceleration** | No | No | Yes | +| **Hardware Encoder** | Yes | Yes | Yes | +| **Game Ready Driver (GRD)** | Yes 1 | Yes 1 |Yes 2 +| **Studio Driver (SD)** | Yes 1 | Yes1 | Yes 1 | +| **Optimal Driver for Enterprise (ODE)** | No | No | Yes | +| **Quadro New Feature Driver (QNF)** | No | No | Yes | +| **Microsoft DirectX 12 API, Vulkan API, Open GL 4.6** | Yes | Yes | Yes | +| **High-bandwidth Digital Content Protection (HDCP) 2.2** | Yes | Yes | Yes | +| **NVIDIA GPU Boost** | Yes | Yes | Yes | + + + 1. *Recommended* + 2. *Supported* + +## Optimizing power and performance on Surface Book 3 + +Windows 10 includes a Battery Saver mode with a performance slider that lets you maximize app performance (by sliding it to the right) or preserve battery life (by sliding it to the left). Surface Book 3 implements this functionality algorithmically to optimize power and performance across the following components: + +- CPU Energy Efficiency Registers (Intel Speed Shift technology) and other SoC tuning parameters to maximize efficiency. +- Fan Maximum RPM with four modes: quiet, nominal, performance, and max. +- Processor Power Caps (PL1/PL2). +- Processor IA Turbo limitations. + +By default, when the battery drops below 20 percent, the Battery Saver adjusts settings to extend battery life. When connected to power, Surface Book 3 defaults to “Best Performance” settings to ensure apps run in high performance mode on the secondary NVIDIA GPU present on all i7 Surface Book 3 systems. + +Using default settings is recommended for optimal performance when used as a laptop or detached in tablet or studio mode. You can access Battery Saver by selecting the battery icon on the far right of the taskbar. + +### Game mode + +Surface Book 3 includes a new game mode that automatically selects maximum performance settings when launched. + +### Safe Detach + +New in Surface Book 3, apps enabled for Safe Detach let you disconnect while the app is using the GPU. For supported apps like *World of Warcraft*, your work is moved to the iGPU. + +### Modifying app settings to always use a specific GPU + +You can switch between the power-saving but still capable built-in Intel graphics and the more powerful discrete NVIDIA GPU and associate a GPU with a specific app. By default, Windows 10 automatically chooses the appropriate GPU, assigning graphically demanding apps to the discrete NVIDIA GPU. In most instances there is no need to manually adjust these settings. However, if you frequently detach and reattach the display from the keyboard base while using a graphically demanding app, you’ll typically need to close the app prior to detaching. To enable continuous use of the app without having to close it every time you detach or reattach the display, you can assign it to the integrated GPU, albeit with some loss of graphics performance. + +In some instances, Windows 10 may assign a graphically demanding app to be iGPU; for example, if the app is not fully optimized for hybrid graphics. To remedy this, you can manually assign the app to the discrete NVIDIA GPU. + +**To configure apps using custom per-GPU options:** + +1. Go to **Settings** > **System** > **Display** and select **Graphics Settings**. + + 1. For a Windows desktop program, choose **Classic App** > **Browse** and then locate the program. + 2. For a UWP app, choose **Universal App** and then select the app from the drop-down list. + +2. Select **Add** to create a new entry on the list for your selected program, select Options to open Graphics Specifications, and then select your desired option. + + ![Select power saving or high performance GPU options](./images/graphics-settings2.png) + +3. To verify which GPU are used for each app, open **Task Manager,** select **Performance,** and view the **GPU Engine** column. + + +## Appendix A: Surface Book 3 SKUs + +| **Display** | **Processor** | **GPU** | **RAM** | **Storage** | +| ------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------- | ---------- | ----------- | +| **13.5-inch** | Quad-core 10th Gen Core i5-1035G7 | Intel Iris™ Plus Graphics | 16 LPDDR4x | 256 GB | +| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 16 LPDDR4x | 256 GB | +| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 32 LPDDR4x | 512 GB | +| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 32 LPDDR4x | 1 TB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 16 LPDDR4x | 256 GB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 2 TB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB | + +> [!NOTE] +> 2TB SSD available in U.S. only: Surface Book 3 15” with NVIDIA GTX 1660Ti + +## Summary + +Built for performance, Surface Book 3 includes different GPU configurations optimized to meet specific workload and use requirements. An integrated Intel Iris graphics GPU functions as the sole GPU on the entry-level core i5 device and as a secondary GPU on all other models. GeForce GTX 1650 features a major upgrade of the core streaming multiprocessor to run complex graphics more efficiently. The faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements making it better for consumers, gamers, live streamers, and creative professionals. Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance. + + +## Learn more + +- [Surface Book 3 Quadro RTX 3000 technical overview](surface-book-quadro.md) +- [Surface for Business](https://www.microsoft.com/surface/business) diff --git a/devices/surface/surface-book-quadro.md b/devices/surface/surface-book-quadro.md new file mode 100644 index 0000000000..c1e6f3bcc2 --- /dev/null +++ b/devices/surface/surface-book-quadro.md @@ -0,0 +1,136 @@ +--- +title: Surface Book 3 GPU technical overview +description: This article describes the advanced capabilities enabled by Nvidia Quadro RTX 3000 in select Surface Book 3 for Business 15-inch models. +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 5/06/2020 +ms.reviewer: brrecord +manager: laurawi +audience: itpro +--- + +# Surface Book 3 Quadro RTX 3000 technical overview + +Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, advanced graphics, and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3: + +- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing. +- **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI. +- **Advanced Graphics and Compute Technology** - Experience remarkable speed and interactivity during your most taxing graphics and compute workloads with 1,920 CUDA Cores and 6GB of GDDR6 memory. + +## Enterprise grade solution + +Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional-grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs, providing an additional layer of quality assurance to validate stability, reliability, and performance. + +Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems, and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements. + +NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man-days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update. + + +## Built for compute-intensive workloads + +The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere. + +- **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan. +- **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes. +- **Software developers across manufacturing, media and entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs. +- **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research. + + +**Table 1. Quadro RTX 3000 performance features** + +| **Component** | **Description** | +| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. | +| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. | +| Turing optimized software | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications. | +| NVIDIA CUDA parallel computing platform | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics. | +| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain the best application performance. | +| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer, making it the ideal platform for handling large datasets and latency-sensitive applications. | +| Single instruction, multiple thread (SIMT) | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs. | +| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. | +| Dynamic load balancing | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization. | +| Compute preemption | Preemption at the instruction-level provides finer grain control over compute tasks to prevent long-running applications from either monopolizing system resources or timing out. | +| H.264, H.265 and HEVC encode/decode engines | Enables faster than real-time performance for transcoding, video editing, and other encoding applications with two dedicated H.264 and HEVC encode engines and a dedicated decode engine that are independent of 3D/compute pipeline. | +| NVIDIA GPU boost 4.0 | Maximizes application performance automatically without exceeding the power and thermal envelope of the GPU. Allows applications to stay within the boost clock state longer under higher temperature threshold before dropping to a secondary temperature setting base clock. | + + **Table 2. Quadro RTX tech specs** + +| **Component** | **Description** | +| ---------------------------------------------------------- | --------------- | +| NVIDIA CUDA processing cores | 1,920 | +| NVIDIA RT Cores | 30 | +| Tensor Cores | 240 | +| GPU memory | 6 GB | +| Memory bandwidth | 288 Gbps | +| Memory type | GDDR6 | +| Memory interface | 192-bit | +| TGP max power consumption | 65W | +| Display port | 1.4 | +| OpenGL | 4.6 | +| Shader model | 5.1 | +| DirectX | 12.1 | +| PCIe generation | 3 | +| Single precision floating point performance (TFLOPS, Peak) | 5.4 | +| Tensor performance (TOPS, Peak) | 42.9 | +| NVIDIA FXAA/TX AA antialiasing | Yes | +| GPU direct for video | Yes | +| Vulkan support | Yes | +| NVIDIA 3D vision Pro | Yes | +| NVIDIA Optimus | Yes | + + +## App acceleration + +The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing the Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus the Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in the market as of March 2020. + +**Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000** + +| **App** | **Quadro RTX 3000 app acceleration capabilities**
| +| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Adobe Dimension | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers. | +| Adobe Substance Alchemist | - Create and blend materials with ease, featuring RTX-accelerated AI. | +| Adobe Substance Painter | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows.
| +| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers
- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray that is compatible with MDL.
- DXR-accelerated light and ambient occlusion baking. | +| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, and perspective warp enable photographers and designers to modify images smoothly and quickly. | +| Adobe Lightroom | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.
- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.
- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. | +| Adobe Illustrator | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively. | +| Adobe
Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU.
- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.
- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. | +| Autodesk
Revit | - GPU-accelerated viewport for a smoother, more interactive design experience.
- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape. | +| Autodesk
3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.
- RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.
- More than 70 percent faster compared with Surface Book 2 15”. | +| Autodesk
Maya | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.
- OpenGL Viewport Acceleration. | +| Dassault Systemes
Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.
- Runs more than 50% faster compared with Surface Book 2 15”. | +| Dassault Systemes
3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.
- Catia runs more than 100% faster compared with Surface Book 2 15". | +| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”. | +| McNeel & Associates
Rhino 3D | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.
- Supports Cycles for GPU-accelerated 3D rendering. | +| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.
- Runs more than 10x faster compared with Surface Book 2 15”. | +| Esri ArcGIS | - Real-time results from what took days and weeks, due to DL inferencing leveraging tensor cores. | +| PTC Creo | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.
- Runs more than 15% faster compared with Surface Book 2 15”. | +| Luxion KeyShot | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising. | +| ANSYS
Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA. | +## SKUs + +**Table 4. Surface Book 3 with Quadro RTX 3000 SKUs** + +| **Display** | **Processor** | **GPU** | **RAM** | **Storage** | +| ----------- | --------------------------------- | ------------------------------------------------------------------------------------------------ | ---------- | ----------- | +| 15-inch | Quad-core 10th Gen Core i7-1065G7 | Intel Iris™ Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB | +| 15-inch | Quad-core 10th Gen Core i7-1065G7 | Intel Iris™ Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB | + +## Summary + +The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere: + +- RTX-acceleration across multiple workflows like design, animation, video production, and more. +- Desktop-grade performance in a mobile form factor. +- Enterprise-class features, reliability, and support for mission-critical projects. + +## Learn more + +- [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md) +- [Surface for Business](https://www.microsoft.com/surface/business) +- [Microsoft Cognitive Toolkit (CNTK)](https://docs.microsoft.com/cognitive-toolkit/) diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md index 15f3dc33f0..19eb605696 100644 --- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md +++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md @@ -7,12 +7,12 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: scottmca -manager: dansimp +manager: laurawi --- # Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC) diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index 9c71c1cee4..ae9ddc100b 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -6,12 +6,12 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article -ms.date: 10/31/2019 +ms.date: 05/11/2020 ms.reviewer: hachidan -manager: dansimp -ms.audience: itpro +manager: laurawi +audience: itpro --- # Deploy Surface Diagnostic Toolkit for Business @@ -41,6 +41,9 @@ Command line | Directly troubleshoot Surface devices remotely without user inter SDT for Business is supported on Surface 3 and later devices, including: +- Surface Book 3 +- Surface Go 2 +- Surface Pro X - Surface Pro 7 - Surface Laptop 3 - Surface Pro 6 @@ -116,6 +119,7 @@ In addition to the .exe file, SDT installs a JSON file and an admin.dll file (mo *Figure 2. Files installed by SDT* + ## Preparing the SDT package for distribution Creating a custom package allows you to target the tool to specific known issues. @@ -170,6 +174,18 @@ You can select to run a wide range of logs across applications, drivers, hardwar - [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) ## Changes and updates + +### Version 2.94.139.0 +*Release date: May 11, 2020*
+This version of Surface Diagnostic Toolkit for Business adds support for the following: + +- Ability to skip Windows Update to perform hardware check. +- Ability to receive notifications for about the latest version update +- Surface Go 2 +- Surface Book 3 +- Show progress indicator + + ### Version 2.43.139.0 *Release date: October 21, 2019*
This version of Surface Diagnostic Toolkit for Business adds support for the following: diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md index 7dca10584e..d7b8828415 100644 --- a/devices/surface/surface-diagnostic-toolkit-command-line.md +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -5,10 +5,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md index 8586cb543a..7734d2a4fa 100644 --- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -5,10 +5,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 1a417a6bcd..10939f979e 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -5,10 +5,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: cottmca -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- @@ -29,7 +29,7 @@ Before you run the diagnostic tool, make sure you have the latest Windows update **To run the Surface Diagnostic Toolkit for Business:** -1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B). +1. Download the Surface Diagnostic Toolkit for Business. To do this, go to the [**Surface Tools for IT** download page](https://www.microsoft.com/download/details.aspx?id=46703), choose **Download**, select **Surface Diagnostic Toolkit for Business** from the provided list, and choose **Next**. 2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business). The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index d748891d49..26264b1509 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -1,5 +1,5 @@ --- -title: Microsoft Surface Dock Firmware Update +title: Microsoft Surface Dock Firmware Update - Technical information for IT administrators description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. ms.localizationpriority: medium ms.prod: w10 @@ -9,25 +9,34 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.reviewer: scottmca -manager: dansimp +manager: laurawi ms.audience: itpro --- -# Microsoft Surface Dock Firmware Update - -This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. - -Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used. +# Microsoft Surface Dock Firmware Update: Technical information for IT administrators > [!IMPORTANT] ->Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. +> This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site. The instructions at the support site are the same as the general installation steps below, but this article has additional information for monitoring, verifying, and deploying the update to multiple devices on a network. + +This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. + +This tool supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. The earlier tool was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number) and is no longer available for download and should not be used. + +## Install the Surface Dock Firmware Update + +This section describes how to manually install the firmware update. + +> [!NOTE] +> Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. + +1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). + - The update requires a Surface device running Windows 10, version 1803 or later. + - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. + +2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. ## Monitor the Surface Dock Firmware Update -This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article: - - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) - - [Event logging](#event-logging) - - [Troubleshooting tips](#troubleshooting-tips) - - [Versions reference](#versions-reference) +This section is optional and provides an overview of how to monitor installation of the firmware update. To monitor the update: @@ -39,7 +48,6 @@ To monitor the update: Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters" ``` 3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article. - 4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**. - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current. 5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example: @@ -49,15 +57,11 @@ To monitor the update: >[!TIP] >If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored. -## Install the Surface Dock Firmware Update - -This section describes how to install the firmware update. - -1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). - - The update requires a Surface device running Windows 10, version 1803 or later. - - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. - -2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. +Also see the following sections in this article: + - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) + - [Event logging](#event-logging) + - [Troubleshooting tips](#troubleshooting-tips) + - [Versions reference](#versions-reference) ## Network deployment diff --git a/devices/surface/surface-dock-whats-new.md b/devices/surface/surface-dock-whats-new.md new file mode 100644 index 0000000000..f3443b6c31 --- /dev/null +++ b/devices/surface/surface-dock-whats-new.md @@ -0,0 +1,122 @@ +--- +title: What’s new in Surface Dock 2 +description: This article highlights new features and functionality for the next generation Surface Dock. +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 5/29/2020 +ms.reviewer: brrecord +manager: laurawi +audience: itpro +--- +# What’s new in Surface Dock 2 + +Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. Surface Enterprise Management Mode (SEMM) now enables IT admins to secure ports on Surface Dock 2. For more information, see [Secure Surface Dock 2 ports with Surface Enterprise Management Mode](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/secure-surface-dock-2-ports-with-surface-enterprise-management/ba-p/1418999). + +## General system requirements + +- Windows 10 version 1809. There is no support for Windows 7, Windows 8, or non-Surface host devices. Surface Dock 2 works with the following Surface devices: + + - Surface Pro (5th Gen) + - Surface Pro (5th Gen) with LTE Advanced + - Surface Laptop (1st Gen) + - Surface Pro 6 + - Surface Book 2 + - Surface Laptop 2 + - Surface Go + - Surface Go with LTE Advanced + - Surface Pro 7 + - Surface Laptop 3 + - Surface Book 3 + - Surface Go 2 + - Surface Go 2 with LTE Advanced + + +## Surface Dock 2 Components + +![Surface Dock 2 Components](./images/surface-dock2.png) + +### USB + +- Two front facing USB-C ports. +- Two rear facing USB-C (gen 2) ports. +- Two rear facing USB-A ports. + +### Video + +- Dual 4K@60hz. Supports up to two displays on the following devices: + + - Surface Book 3 + - Surface Go 2 + - Surface Go 2 with LTE Advanced + - Surface Pro 7 + - Surface Pro X + - Surface Laptop 3 + +- Dual 4K@ 4K@30Hz. Supports up to two displays on the following devices: + + - Surface Pro 6 + - Surface Pro (5th Gen) + - Surface Pro (5th Gen) with LTE Advanced + - Surface Laptop 2 + - Surface Laptop (1st Gen) + - Surface Go + - Surface Book 2. + +### Ethernet + +- 1 gigabit Ethernet port. + +### External Power supply + +- 199 watts supporting 100V-240V. + + +## Comparing Surface Dock 2 + +### Table 1. Surface Dock 2 tech specs comparison + +|Component|Surface Dock|Surface Dock 2| +|---|---|---| +|Surflink|Yes|Yes| +|USB-A|2 front facing USB 3.1 Gen 1
2 rear facing USB 3.1 Gen 1|2 rear facing USB 3.2 Gen 2 (7.5W power)| +|Mini Display port|2 rear facing (DP1.2)|None| +|USB-C|None|2 front facing USB 3.2 Gen 2
(15W power)
2 rear facing USB 3.2 Gen 2 (DP1.4a)
(7.5W power)| +|3.5 mm Audio in/out|Yes|Yes| +|Ethernet|Yes, 1 gigabit|Yes 1 gigabit| +|DC power in|Yes|Yes| +|Kensington lock|Yes|Yes| +|Surflink cable length|65cm|80cm| +|Surflink host power|60W|120W| +|USB load power|30W|60W| +|USB bit rate|5 Gbps|10 Gbps| +|Monitor support|2 x 4k @30fps, or
1 x 4k @ 60fps|2 x 4K @ 60fps| +|Wake-on-LAN from Connected Standby1|Yes|Yes| +|Wake-on-LAN from S4/S5 sleep modes|No|Yes| +|Network PXE boot|Yes|Yes| +|SEMM host access control|No|Yes +|SEMM port access control2|No|Yes| +|Servicing support|MSI|Windows Update or MSI| +|||| + +1. *Devices must be configured for Wake on LAN via Surface Enterprise Management Mode (SEMM) or Device Firmware Control Interface (DFCI) to wake from Hibernation or Power-Off states. Wake from Hibernation or Power-Off is supported on Surface Pro 7, Surface Laptop 3, Surface Pro X, Surface Book 3, and Surface Go 2. Software license required for some features. Sold separately.* + +2. *Software license required for some features. Sold separately.* + +## Streamlined device management + +Surface has released streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features: + +- **Frictionless updates**. Update your docks silently and automatically, with Windows Update or Microsoft Endpoint Configuration Manager, (formerly System Center Configuration Manager - SCCM) or other MSI deployment tools. +- **Wake from the network**. Manage and access corporate devices without depending on users to keep their devices powered on. Even when a docked device is in sleep, hibernation, or power off mode, your team can wake from the network for service and management, using Endpoint Configuration Manager or other enterprise management tools. +- **Centralized IT control**. Control who can connect to Surface Dock 2 by turning ports on and off. Restrict which host devices can be used with Surface Dock 2. Limit dock access to a single user or configure docks so they can only be accessed by specific users in your team or across the entire company. + +## Next steps + +- [Secure Surface Dock 2 ports with Surface Enterprise Management Mode](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/secure-surface-dock-2-ports-with-surface-enterprise-management/ba-p/1418999) +- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) +- [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 493b04c1ae..c983e5f0f5 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -7,12 +7,13 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article -ms.reviewer: scottmca -manager: dansimp +ms.reviewer: hachidan +manager: laurawi ms.localizationpriority: medium -ms.audience: itpro +audience: itpro +ms.date: 05/26/2020 --- # Microsoft Surface Enterprise Management Mode @@ -31,6 +32,9 @@ There are two administrative options you can use to manage SEMM and enrolled Sur The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied. +>[!NOTE] +>You can now use Surface UEFI Configurator and SEMM to manage ports on Surface Dock 2. To learn more, see [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md). + ![Microsoft Surface UEFI Configurator](images/surface-ent-mgmt-fig1-uefi-configurator.png "Microsoft Surface UEFI Configurator") *Figure 1. Microsoft Surface UEFI Configurator* @@ -95,7 +99,7 @@ The following list shows all the available devices you can manage in SEMM: |Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled | | Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. | | Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. | -| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. | +| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the Boot page is displayed. | | DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. | @@ -227,9 +231,27 @@ create a reset package using PowerShell to reset SEMM. ## Version History -### Version 2.59. -* Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. -- Support to Wake on Power feature +### Version 2.71.139.0 + +This version of SEMM adds support for Surface Dock 2 management features for Surface Book 3, Surface Laptop 3, and Surface Pro 7 including: + +- Enabling audio (locking/unlocking), Ethernet and USB ports +- Ability to create dock packages for both authenticated and unauthenticated hosts + +### Version 2.70.130.0 + +This version of SEMM includes: + +- Support for Surface Go 2 +- Support for Surface Book 3 +- Bug fixes + + +### Version 2.59.139.0 + +* Support for Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. + +- Support for Wake on Power feature ### Version 2.54.139.0 * Support to Surface Hub 2S @@ -263,6 +285,6 @@ create a reset package using PowerShell to reset SEMM. ## Related topics -[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) - -[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) +- [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) +- [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) +- [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md) diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index 41a2f2f912..d9b08bd9e4 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -6,11 +6,11 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 11/13/2019 ms.reviewer: jesko -manager: dansimp +manager: laurawi ms.audience: itpro --- # Intune management of Surface UEFI settings @@ -31,7 +31,7 @@ Until now, managing firmware required enrolling devices into Surface Enterprise Now with newly integrated UEFI firmware management capabilities in Microsoft Intune, the ability to lock down hardware is simplified and easier to use with new features for provisioning, security, and streamlined updating all in a single console, now unified as [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). The following figure shows UEFI settings viewed directly on the device (left) and viewed in the Endpoint Manager console (right). -![UEFI settings shown on device (left) and in the Endpoint Manager console (right) ](images/uefidfci.png) +![UEFI settings shown on device (left) and in the Endpoint Manager console (right)](images/uefidfci.png) Crucially, DFCI enables zero touch management, eliminating the need for manual interaction by IT admins. DFCI is deployed via Windows Autopilot using the device profiles capability in Intune. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud without having to maintain on-premises infrastructure. diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index fb4f9b552d..5b7adaf812 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -6,10 +6,11 @@ ms.mktglfcycl: manage ms.localizationpriority: high ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article +ms.date: 4/15/2020 ms.reviewer: jessko -manager: dansimp +manager: laurawi ms.audience: itpro --- # Deploying, managing, and servicing Surface Pro X @@ -43,7 +44,7 @@ Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager A component of Microsoft Enterprise Mobility + Security, Intune integrates with Azure Active Directory for identity and access control and provides granular management of enrolled Surface Pro X devices. Intune mobile device management (MDM) policies have a number of advantages over older on-premises tools such as Windows Group Policy. This includes faster device login times and a more streamlined catalog of policies enabling full device management from the cloud. For example, you can manage LTE using eSIM profiles to configure data plans and deploy activation codes to multiple devices.
-For more information about setting up Intune, refer to the [Intune documentation](https://docs.microsoft.com/intune/). +For more information about using Intune, refer to the [Intune documentation](https://docs.microsoft.com/intune/). ### Co-management @@ -108,9 +109,9 @@ Popular browsers run on Surface Pro X: ## Installing and using Microsoft Office - Use Office 365 for the best experience on a Windows 10 PC on an ARM-based processor. -- Office 365 “click-to-run” installs Outlook, Word, Excel, and PowerPoint, optimized to run on a Windows 10 PC on an ARM-based processor. +- Office 365 "click-to-run" installs Outlook, Word, Excel, and PowerPoint, optimized to run on a Windows 10 PC on an ARM-based processor. - Microsoft Teams runs great on Surface Pro X. -- For “perpetual versions” of Office such as Office 2019, install the 32-bit version. +- For "perpetual versions" of Office such as Office 2019, install the 32-bit version. ## VPN @@ -138,10 +139,10 @@ The following tables show the availability of selected key features on Surface P | Endpoint Configuration Manager | Yes | Yes | | | Power on When AC Restore | Yes | Yes | | | Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | | -| Surface Dock Firmware Update | Yes | Yes | | +| Surface Dock Firmware Update | Yes | No | | | Asset Tag Utility | Yes | Yes | | | Surface Enterprise management Mode (SEMM) | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | -| Surface UEFI Configurator | Yes | | No option to disable hardware. on Surface Pro X at the firmware level. | +| Surface UEFI Configurator | Yes | No | No option to disable hardware. on Surface Pro X at the firmware level. | | Surface UEFI Manager | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | diff --git a/devices/surface/surface-pro-arm-app-performance.md b/devices/surface/surface-pro-arm-app-performance.md index 0057104b59..10f3e57bbd 100644 --- a/devices/surface/surface-pro-arm-app-performance.md +++ b/devices/surface/surface-pro-arm-app-performance.md @@ -6,11 +6,11 @@ ms.localizationpriority: medium ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 10/03/2019 ms.reviewer: jessko -manager: dansimp +manager: laurawi ms.audience: itpro --- # Surface Pro X app compatibility diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index 062008fc1e..499e718991 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -7,11 +7,11 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 03/09/2020 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- @@ -39,6 +39,7 @@ System Model and System SKU are variables that are stored in the System Manageme | Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial | | Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer | | Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | +| Surface Laptop | Surface Laptop | Surface_Laptop | | Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | | Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial | | Surface Pro 7 | Surface Pro 7 | Surface_Pro_7_1866 | diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md index d30a955dac..34c653abc0 100644 --- a/devices/surface/surface-wireless-connect.md +++ b/devices/surface/surface-wireless-connect.md @@ -7,10 +7,10 @@ ms.sitesec: library author: coveminer ms.audience: itpro ms.localizationpriority: medium -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: tokatz -manager: dansimp +manager: laurawi --- # Optimize Wi-Fi connectivity for Surface devices diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md index 6174474de7..6750387137 100644 --- a/devices/surface/unenroll-surface-devices-from-semm.md +++ b/devices/surface/unenroll-surface-devices-from-semm.md @@ -7,10 +7,10 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md index bac99f89bc..7602e690be 100644 --- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md +++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md @@ -7,12 +7,13 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi +ms.date: 04/24/2020 --- # Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit @@ -37,216 +38,7 @@ manager: dansimp - Surface Pro - Windows 10 -In addition to the traditional deployment method of reimaging devices, administrators that want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade. The process described in this article shows how to perform a Windows 10 upgrade deployment to Surface devices. +In addition to the traditional deployment method of reimaging devices, administrators who want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade. -If you are not already familiar with the deployment of Windows or the Microsoft deployment tools and technologies, you should read [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) and familiarize yourself with the traditional deployment method before you proceed. +For the latest information about upgrading surface devices using MDT, refer to [Perform an in-place upgrade to Windows 10 with MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit). -#### The upgrade concept - -When you use the factory installation media to install Windows on a device, you are presented with two options or *installation paths* to install Windows on that device. The first of these installation paths – *clean installation* – allows you to apply a factory image of Windows to that device, including all default settings. The second of these installation paths – *upgrade* – allows you to apply Windows to the device but retains the device’s users, apps, and settings. - -When you perform a Windows deployment using traditional deployment methods, you follow an installation path that is very similar to a clean installation. The primary difference between the clean installation and the traditional deployment method of *reimaging* is that with reimaging, you can apply an image that includes customizations. Microsoft deployment technologies, such as the Microsoft Deployment Toolkit (MDT), expand the capabilities of the reimaging process by modifying the image during deployment. For example, MDT is able to inject drivers for a specific hardware configuration during deployment, and with pre and post imaging scripts to perform a number of tasks, such as the installation of applications. - -For versions of Windows prior to Windows 10, if you wanted to install a new version of Windows on your devices and preserve the configuration of those systems, you had to perform additional steps during your deployment. For example, if you wanted to keep the data of users on the device, you had to back up user data with the User State Migration Tool (USMT) prior to the deployment and restore that data after the deployment had completed. - -Introduced with Windows 10 and MDT 2013 Update 1, you can use the upgrade installation path directly with Microsoft deployment technologies such as the Microsoft Deployment Toolkit (MDT). With an upgrade deployment you can use the same deployment technologies and process, but you can preserve users settings, and applications of the existing environment on the device. - -> [!NOTE] -> MDT is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) - -## Deployment tools and resources - -Performing an upgrade deployment of Windows 10 requires the same tools and resources that are required for a traditional reimaging deployment. You can read about the tools required, including detailed explanations and installation instructions, in [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md). To proceed with the upgrade deployment described in this article, you will need the following tools installed and configured: - -* [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741) -* [Windows Assessment and Deployment Kit (Windows ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk), which includes: - * Deployment Image Servicing and Management (DISM) - * Windows Preinstallation Environment (Windows PE) - * Windows System Image Manager (Windows SIM) - -You will also need to have available the following resources: - -* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx) - - >[!NOTE] - >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT. -* [Surface firmware and drivers](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10 - -* Application installation files for any applications you want to install, such as the Surface app - -## Prepare the upgrade deployment - -Before you begin the process described in this section, you need to have installed and configured the deployment tools outlined in the previous [Deployment tools and resources](#deployment-tools-and-resources) section. For instructions on how to install and configure the deployment tools, see the **Install the deployment tools** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#install-the-deployment-tools) article. You will also have needed to create a deployment share with MDT, described in the section Create a Deployment Share in the aforementioned article. - -### Import Windows 10 installation files - -Windows 10 installation files only need to be imported if you have not already done so in the deployment share. To import Windows 10 installation files, follow the steps described in the **Import Windows installation files** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#import-windows-installation-files) article. - -### Import Surface drivers -In the import process example shown in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, drivers for Surface Pro 4 were imported for Windows 10. To perform an upgrade deployment of Windows 10 to Surface Pro 3, drivers for Surface Pro 3 must also be imported. To import the Surface drivers for Surface Pro 3, follow these steps: - -1. Download the Surface Pro 3 firmware and driver pack for Windows 10 archive file (.zip), SurfacePro3_Win10_xxxxxx.zip, from the [Surface Pro 3 download page](https://www.microsoft.com/download/details.aspx?id=38826) in the Microsoft Download Center. -2. Extract the contents of the Surface Pro 3 firmware and driver pack archive file to a temporary folder. Keep the driver files separate from other drivers or files. -3. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share. -4. If you have not already created a folder structure by operating system version, you should do so next. Under the **Windows 10 x64** folder, create a new folder for Surface Pro 3 drivers named **Surface Pro 3**. Your Out-of-Box Drivers folder should resemble the following structure: - * WinPE x86 - * WinPE x64 - * Windows 10 x64 - * Microsoft Corporation - * Surface Pro 4 - * Surface Pro 3 -5. Right-click the **Surface Pro 3** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1. - - ![Import Surface Pro 3 drivers for Windows 10](images/surface-upgrademdt-fig1.png "Import Surface Pro 3 drivers for Windows 10") - - *Figure 1. Import Surface Pro 3 drivers for Windows 10* - -6. The Import Driver Wizard displays a series of steps, as follows: - - **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 3 firmware and drivers in Step 1. - - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - - **Progress** – While the drivers are imported, a progress bar is displayed on this page. - - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Drivers Wizard. -7. Select the **Surface Pro 3** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 2. - - ![Drivers for Surface Pro 3 imported and organized in the MDT deployment share](images/surface-upgrademdt-fig2.png "Drivers for Surface Pro 3 imported and organized in the MDT deployment share") - - *Figure 2. Drivers for Surface Pro 3 imported and organized in the MDT deployment share* - -### Import applications - -Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.) - -There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence. - -### Create the upgrade task sequence - -After you have all of the resources in place to perform the deployment (including the installation files, Surface drivers, and application files), the next step is to create the upgrade task sequence. This task sequence is a series of steps that will be performed on the device being upgraded that applies the new Windows environment, compatible drivers, and any applications you have specified. - -Create the upgrade task sequence with the following process: - -1. In the Deployment Workbench under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard. -2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard: - - **General Settings** – Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**. - >[!NOTE] - >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters. - - **Select Template** – Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**. - - **Select OS** – Navigate to and select the Windows image that you imported, and then click **Next**. - - **Specify Product Key** – Select the product key entry that fits your organization’s licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**. - - **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**. - - **Admin Password** – Select **Use the Specified Local Administrator Password** and enter a password in the provided fields, and then click **Next**. - - **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence. - - **Progress** – While the task sequence is being created, a progress bar is displayed on this page. - - **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete New Task Sequence Wizard. - -After the task sequence is created, you can modify some additional settings to provide additional automation of the task sequence and require less interaction during deployment. Follow these steps to modify the task sequence: - -1. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**. -2. Select the **Task Sequence** tab to view the steps that are included in the new task sequence. -3. Select the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder. -4. Click the **Options** tab, and then clear the **Disable This Step** check box. -5. Repeat Step 3 and Step 4 for the **Windows Update (Post-Application Installation)** step. -6. Between the two Windows Update steps is an **Install Applications** step. Select that step and then click **Add**. -7. Hover the mouse over **General** under the **Add** menu, and then choose **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3. - - ![A new Install Application step in the deployment task sequence](images/surface-upgrademdt-fig3.png "A new Install Application step in the deployment task sequence") - - *Figure 3. A new Install Application step in the deployment task sequence* - -8. On the **Properties** tab of the new **Install Application** step, enter **Install Surface App** in the **Name** field. -9. Select **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share. -10. Select **Surface App** from the list of applications, and then click **OK**. -11. Expand the **Preinstall** folder and select the **Enable BitLocker (Offline)** step. -12. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu. -13. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 4) configure the following options: - - - **Name** – Set DriverGroup001 - - **Task Sequence Variable** – DriverGroup001 - - **Value** – Windows 10 x64\%Make%\%Model% - - ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images/surface-upgrademdt-fig4.png "Configure a new Set Task Sequence Variable step in the deployment task sequence") - - *Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence* - -14. Select the **Inject Drivers** step, the next step in the task sequence. -15. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 5) configure the following options: - * In the **Choose a selection profile** drop-down menu, select **Nothing**. - * Click the **Install all drivers from the selection profile** button. - - ![Configure the deployment task sequence to not install drivers](images/surface-upgrademdt-fig5.png "Configure the deployment task sequence to not install drivers") - - *Figure 5. Configure the deployment task sequence to not install drivers* - -16. Click **OK** to apply changes to the task sequence and close the task sequence properties window. - -Steps 11 through 15 are very important to the deployment of Surface devices. These steps instruct the task sequence to install only drivers that are organized into the correct folder using the organization for drivers from the [Import Surface drivers](#import-surface-drivers) section. - -### Deployment share rules - -To automate the upgrade process, the rules of the MDT deployment share need to be modified to suppress prompts for information from the user. Unlike a traditional deployment, Bootstrap.ini does not need to be modified because the deployment process is not started from boot media. Similarly, boot media does not need to be imported into WDS because it will not be booted over the network with PXE. - -To modify the deployment share rules and suppress the Windows Deployment Wizard prompts for information, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties: - -``` -[Settings] -Priority=Model,Default -Properties=MyCustomProperty - -[Surface Pro 4] -SkipTaskSequence=YES -TaskSequenceID=Win10SP4 - -[Surface Pro 3] -SkipTaskSequence=YES -TaskSequenceID=Win10SP3Up - -[Default] -OSInstall=Y -SkipCapture=YES -SkipAdminPassword=YES -SkipProductKey=YES -SkipComputerBackup=YES -SkipBitLocker=YES -SkipBDDWelcome=YES -SkipUserData=YES -UserDataLocation=AUTO -SkipApplications=YES -SkipPackageDisplay=YES -SkipComputerName=YES -SkipDomainMembership=YES -JoinDomain=contoso.com -DomainAdmin=MDT -DomainAdminDomain=contoso -DomainAdminPassword=P@ssw0rd -SkipLocaleSelection=YES -KeyboardLocale=en-US -UserLocale=en-US -UILanguage=en-US -SkipTimeZone=YES -TimeZoneName=Pacific Standard Time -UserID=MDTUser -UserDomain=STNDeployServer -UserPassword=P@ssw0rd -SkipSummary=YES -SkipFinalSummary=YES -FinishAction=LOGOFF -``` - - - -For more information about the rules configured by this text, see the **Configure deployment share rules** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#configure-deployment-share-rules) article. - -### Update deployment share - -To update the deployment share, right-click the deployment share in the Deployment Workbench and click **Update Deployment Share**, then proceed through the Update Deployment Share Wizard. See the **Update and import updated MDT boot media** section of the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#update-and-import-updated-mdt-boot-media) article for detailed steps. - -### Run the upgrade deployment - -Unlike a traditional deployment, the upgrade task sequence must be launched from within the Windows environment that will be upgraded. This requires that a user on the device to be upgraded navigate to the deployment share over the network and launch a script, LiteTouch.vbs. This script is the same script that displays the Windows Deployment Wizard in Windows PE in a traditional deployment. In this scenario, Litetouch.vbs will run within Windows. To perform the upgrade task sequence and deploy the upgrade to Windows 10 follow these steps: - -1. Browse to the network location of your deployment share in File Explorer. -2. Navigate to the **Scripts** folder, locate **LiteTouch.vbs**, and then double-click **LiteTouch.vbs** to start the Windows Deployment Wizard. -3. Enter your credentials when prompted. -4. The upgrade task sequence for Surface Pro 3 devices will automatically start when the model of the device is detected and determined to match the deployment share rules. -5. The upgrade process will occur automatically and without user interaction. - -The task sequence will automatically install the drivers for Surface Pro 3 and the Surface app, and will perform any outstanding Windows Updates. When it completes, it will log out and be ready for the user to log on with the credentials they have always used for this device. diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index da2a90ea0b..91c1b17875 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -7,10 +7,10 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- @@ -382,56 +382,11 @@ To configure Surface UEFI settings or permissions for Surface UEFI settings, you The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device. -The following tables show the available settings for Surface Pro 4 and later including Surface Pro 7, Surface Book, Surface Laptop 3, and Surface Go. +The best way to view the most current Setting names and IDs for devices is to use the ConfigureSEMM.ps1 script or the ConfigureSEMM - .ps1 from the SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/download/details.aspx?id=46703). -*Table 1. Surface UEFI settings for Surface Pro 4* +Setting names and IDs for all devices can be seen in the ConfigureSEMM.ps1 script. -| Setting ID | Setting Name | Description | Default Setting | -| --- | --- | --- | --- | -|501| Password | UEFI System Password | | -|200| Secure Boot Keys | Secure Boot signing keys to enable for EFI applications | MsPlus3rdParty | -|300| Trusted Platform Module (TPM) | TPM device enabled or disabled | Enabled | -|301| Docking USB Port | Docking USB Port enabled or disabled | Enabled | -|302| Front Camera | Front Camera enabled or disabled | Enabled | -|303| Bluetooth | Bluetooth radio enabled or disabled | Enabled | -|304| Rear Camera | Rear Camera enabled or disabled | Enabled | -|305| IR Camera | InfraRed Camera enabled or disabled | Enabled | -|308| Wi-Fi and Bluetooth | Wi-Fi and Bluetooth enabled or disabled | Enabled | -|310| Type Cover | Surface Type Cover connector | Enabled | -|320| On-board Audio | On-board audio enabled or disabled | Enabled | -|330| Micro SD Card | Micro SD Card enabled or disabled | Enabled | -|370| USB Port 1 | Side USB Port (1) | UsbPortEnabled | -|400| IPv6 for PXE Boot | Enable IPv6 PXE boot before IPv4 PXE boot |Disabled | -|401| Alternate Boot | Alternate Boot allows users to override the boot order by holding the volume down button when powering up the device | Enabled | -|402| Boot Order Lock | Boot Order variable lock enabled or disabled | Disabled | -|403| USB Boot | Enable booting from USB devices | Enabled | -|500| TPM clear EFI protocol | Enable EFI protocol for invoking TPM clear | Disabled | -|600| Security | UEFI Security Page Display enabled or disabled | Enabled | -|601| Devices | UEFI Devices Page Display enabled or disabled | Enabled | -|602| Boot | UEFI Boot Manager Page Display enabled or disabled | Enabled | - -*Table 2. Surface UEFI settings for Surface Book* - -| Setting ID | Setting Name | Description | Default Setting | -| --- | --- | --- | --- | -| 501 | Password | UEFI System Password | | -| 200 | Secure Boot Keys | Secure Boot signing keys to enable for EFI applications | MsPlus3rdParty | -| 300 | Trusted Platform Module (TPM) | TPM device enabled or disabled | Enabled | -| 301 | Docking USB Port | Docking USB Port enabled or disabled | Enabled | -| 302 | Front Camera | Front Camera enabled or disabled | Enabled | -| 303 | Bluetooth | Bluetooth radio enabled or disabled | Enabled | -| 304 | Rear Camera | Rear Camera enabled or disabled | Enabled | -| 305 | IR Camera | InfraRed Camera enabled or disabled | Enabled | -| 308 | Wi-Fi and Bluetooth | Wi-Fi and Bluetooth enabled or disabled | Enabled | -| 320 | On-board Audio | On-board audio enabled or disabled | Enabled | -| 400 | IPv6 for PXE Boot Enable | IPv6 PXE boot before IPv4 PXE boot | Disabled | -| 401 | Alternate Boot | Alternate Boot allows users to override the boot order by holding the volume down button when powering up the device | Enabled | -| 402 | Boot Order Lock | Boot Order variable lock enabled or disabled | Disabled | -| 403 | USB Boot | Enable booting from USB devices | Enabled | -| 500 | TPM clear EFI protocol | Enable EFI protocol for invoking TPM clear | Disabled | -| 600 | Security | UEFI Security Page Display enabled or disabled | Enabled | -| 601 | Devices | UEFI Devices Page Display enabled or disabled | Enabled | -| 602 | Boot | UEFI Boot Manager Page Display enabled or disabled | Enabled | +Setting names and IDs for specific devices can be seen in the ConfigureSEMM - .ps1 scripts. For example, setting names and IDs for Surface Pro X can be found in the ConfigureSEMM – ProX.ps1 script. ## Deploy SEMM Configuration Manager scripts diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md deleted file mode 100644 index 40c991f145..0000000000 --- a/devices/surface/using-the-sda-deployment-share.md +++ /dev/null @@ -1,172 +0,0 @@ ---- -title: Using the Microsoft Surface Deployment Accelerator deployment share (Surface) -description: Explore the scenarios where you can use SDA to meet the deployment needs of your organization including Proof of Concept, pilot deployment, as well as import additional drivers and applications. -keywords: deploy, install, automate, deployment solution -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: surface, devices -ms.sitesec: library -author: coveminer -ms.author: v-jokai -ms.topic: article -ms.localizationpriority: medium -ms.audience: itpro -ms.reviewer: -manager: dansimp ---- - -# Using the Microsoft Surface Deployment Accelerator deployment share - -With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment technologies available from Microsoft, such as the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741), and is capable of immediately performing a deployment after configuration. See [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) for a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment. - -For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/itpro/surface/microsoft-surface-deployment-accelerator). - -> [!NOTE] -> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). - -Using SDA provides these primary benefits: - -* With SDA, you can create a ready-to-deploy environment that can deploy to target devices as fast as your download speeds allow. The wizard experience enables you to check a few boxes and then the automated process builds your deployment environment for you. - -* With SDA, you prepare a deployment environment built on the industry leading deployment solution of MDT. With MDT you can scale from a relatively basic deployment of a few Surface devices to a solution capable of deploying to thousands of devices including all of the different makes and models in your organization and all of the applications required by each device and user. - -This article explores four scenarios where you can use SDA to meet the needs of your organization. See [Deploy Windows 10](https://technet.microsoft.com/itpro/windows/deploy/index) to explore the capabilities of MDT and the Windows deployment technologies available from Microsoft in greater detail. - -## Perform a Proof of Concept deployment - -One of the primary scenarios for use of SDA is as a Proof of Concept. A *Proof of Concept* (PoC) enables you to test or evaluate the capabilities of a solution or technology. A PoC is often used to illustrate the benefits of the solution or technology to decision makers. For example, if you want to recommend Surface devices as a replacement of older point of sale (POS) systems, you could perform a PoC to demonstrate how Surface devices provide superior computing power, flexibility, and connectivity when compared to alternate options. - -Using SDA to prepare a PoC of Surface devices enables you to very quickly prepare a demonstration of Surface device or devices, which gives you more time for customization or preparation. The flexibility of SDA even lets you import resources, like applications and drivers, from existing MDT deployment infrastructure. See the [Work with existing deployment shares](#work-with-existing-deployment-shares) section later in this article for more information. - -SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Microsoft Store and desktop applications, and several models of Surface devices. - -Some recommendations for a successful PoC with SDA are: - -* Keep your SDA deployment environment separate from your production network. This ensures optimal performance and reduces potential for conflicts during your PoC deployment. - -* Use a fresh and updated instance of Windows Server to house your SDA deployment share to maintain the simplicity and performance of the demonstration environment. - -* Test the deployment process before you demonstrate your PoC. This reduces the potential for unexpected situations and keeps the demonstration focused on the deployment process and Surface devices. - -* Use offline files with SDA to further reduce installation times. - -* For help with your PoC, contact [Surface Support](https://www.microsoft.com/surface/support/contact-us-business). - -## Perform a pilot deployment - -A pilot deployment differs from a PoC. Where a PoC is usually a closed demonstration that is performed prior to the deployment process in order to get approval for the use of certain technologies or solutions, a *pilot deployment* is performed during the deployment process as a limited scope deployment for testing and validation. The focus of a pilot deployment can be as narrow as only a handful of devices, or wide enough to include a significant portion of your organization. - ->[!NOTE] ->A pilot deployment should not replace the testing process that should be performed regularly in the lab as the deployment environment is built and developed. A deployment solution should be tested in virtual and physical environments as new applications and drivers are added and when task sequences are modified and before a pilot deployment is performed. - -For example, you are tasked with deploying Surface devices to mobile workers and you want to test the organization’s MDT deployment process by providing a small number of devices to executives. You can use SDA to create an isolated Surface deployment environment and then copy the task sequence, applications, and drivers needed from the production deployment share. This not only enables you to quickly create a Surface deployment, but it also minimizes the risk to the production deployment process used for other types of devices. - -For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution. Even if you do not have an existing deployment environment, you can import drivers and applications (covered later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge of MDT or Windows deployment, you can follow the [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) article to get started with a deployment to Surface devices. - -## Import additional drivers - -The SDA deployment share includes all of the drivers needed for Surface devices. This includes the drivers for the components inside the Surface device, such as the wireless network adapter and the main chipset, as well as drivers for Surface accessories, such as the Surface Dock or Surface USB Ethernet adapters. The SDA deployment share does not, however, include drivers for third-party devices or peripherals. - -For example, you may intend to use your Surface device with a thermal printer, credit card reader, and barcode scanner as a POS terminal. In this scenario, the thermal printer, credit card reader, and barcode scanner will very likely require installation of drivers to operate properly. You could potentially download and install these drivers from Windows Update when each peripheral is connected, or you could install the driver package from the manufacturer manually on each Surface device, but the ideal solution is to have these drivers already present in Windows so that when the peripheral is connected, it will just work. - -Because SDA is built on MDT, adding the drivers to the SDA deployment share is easy and simple. - ->[!NOTE] ->The drivers must be in the Setup Information File (.inf) format. If the drivers for your device come as an executable file (.exe), they may need to be extracted or installed to procure the .inf file. Some device drivers come packaged with applications, for example an all-in-one printer bundled with scan software. These applications will need to be installed separately from the drivers. - -To import drivers for a peripheral device: - -1. Download the drivers for your device from the manufacturer web site. - -2. Open the MDT Deployment Workbench. - -3. Expand the **Deployment Shares** node and expand the SDA deployment share. - -4. Expand the **Out-of-Box Drivers** folder. - -5. Select the folder of the Surface model for which you would like to include this driver. - -6. Click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1. - - ![Provide the location of your driver files](images/using-sda-driverfiles-fig1.png "Provide the location of your driver files") - - *Figure 1. Provide the location of your driver files* - -7. The Import Drivers Wizard presents a series of steps: - - - **Specify Directory** – Click **Browse** and navigate to the folder where you stored the drivers in Step 1. - - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - - **Progress** – While the drivers are imported, a progress bar is displayed on this page. - - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard. - -8. Repeat Steps 5-7 for each Surface model on which you would like to include this driver. - -9. Close the Deployment Workbench. - -After the drivers are imported for the Surface model, the deployment task sequence will automatically select the drivers during the deployment process and include them in the Windows environment. When you connect your device, such as the barcode scanner in the example, Windows should automatically detect the device and you should be able to use it immediately. - ->[!NOTE] ->You can even import drivers for other computer makes and models to support other devices. See **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt) for more information about how to import drivers for other makes and models. - -## Import additional applications - -As with drivers, the SDA deployment share can be pre-configured with apps like the Surface App and Microsoft Office 365. You can also add applications to the SDA deployment share and configure them to be installed on your Surface devices during deployment of Windows. In the ideal scenario, your Surface devices deployed with the SDA deployment share will include all of the applications needed to be ready for your end users. - -In the previous example for including drivers for a POS system, you would also need to include POS software for processing transactions and recording the input from the barcode scanner and credit card reader. To import an application and prepare it for installation on your Surface devices during Windows deployment: - -1. Download the application installation files or locate the installation media for your application. - -2. Determine the command line instruction for silent installation, usually provided by the developer of the application. For Windows Installer files (.msi), see [Standard Installer Command-Line Options](https://msdn.microsoft.com/library/windows/desktop/aa372024) in the Windows Dev Center. - -3. Open the MDT Deployment Workbench. - -4. Expand the **Deployment Shares** node and expand the SDA deployment share. - -5. Expand the **Applications** folder. - -6. Click **New Application** to start the New Application Wizard, as shown in Figure 2. - - ![Provide the command to install your application](images/using-sda-installcommand-fig2.png "Provide the command to install your application") - - *Figure 2: Provide the command to install your application* - -7. Follow the steps of the New Application Wizard: - - - **Application Type** – Click **Application with Source Files**, and then click **Next**. - - **Details** – Enter a name for the application in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**. - - **Source** – Click **Browse** to navigate to and select the folder with the application installation files procured in Step 1, and then click **Next**. - - **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name. - - **Command Details** – Enter the silent command-line instruction, for example `setup.msi /quiet /norestart` - - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - - **Progress** – While the installation files are imported, a progress bar is displayed on this page. - - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard. - -8. Click the **Task Sequences** folder, right-click **1 - Deploy Microsoft Surface**, and then click **Properties**. - -9. Click the **Task Sequence** tab to view the steps that are included in the new task sequence. - -10. Select the **Windows Update (Pre-Application Installation)** step, and then click **Add**. - -11. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3. - - ![A new Install Application step for Sample POS App](images/using-sda-newinstall-fig3.png "A new Install Application step for Sample POS App") - - *Figure 3. A new Install Application step for Sample POS App* - -12. On the **Properties** tab of the new **Install Application** step, enter **Install - Sample POS App** in the **Name** field, where *Sample POS App* is the name of your app. - -13. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share. - -14. Select your app from the list of applications, and then click **OK**. - -15. Click **OK** to close the task sequence properties. - -16. Close the Deployment Workbench. - -## Work with existing deployment shares - -One of the many benefits of an MDT deployment share is the simplicity of how deployment resources are stored. The MDT deployment share is, at its core, just a standard network file share. All deployment resources, such as Windows images, application installation files, and drivers, are stored in a share that can be browsed with File Explorer, copied and pasted, and moved just like any other file share, provided that you have the necessary permissions. This makes working with deployment resources extremely easy. MDT even allows you to make it easier by allowing you to open multiple deployment shares from the Deployment Workbench and to transfer or copy resources between them. - -This ability gives SDA some extra capabilities when used in an environment with an existing MDT infrastructure. For example, if you install SDA on an isolated server to prepare a PoC and then log on to your production MDT deployment share from the Deployment Workbench on your SDA server, you can copy applications, drivers, task sequences, and other components into the SDA deployment share that is prepared with Surface apps and drivers. With this process, in a very short amount time, you can have a deployment environment ready to deploy your organization’s precise requirements to Surface devices. - -You can also use this capability in reverse. For example, you can copy the Surface drivers, deployment task sequences, and apps directly into a lab or testing environment following a successful PoC. Using these resources, you can immediately begin to integrate Surface deployment into your existing deployment infrastructure. diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md index 37cb7a1d1e..b9c11bd90f 100644 --- a/devices/surface/wake-on-lan-for-surface-devices.md +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -8,10 +8,10 @@ ms.pagetype: surface, devices ms.sitesec: library ms.localizationpriority: medium author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: scottmca -manager: dansimp +manager: laurawi ms.audience: itpro --- diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index b008fa625a..b4da164970 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -1,7 +1,7 @@ --- title: Windows Autopilot and Surface devices ms.reviewer: -manager: dansimp +manager: laurawi description: Find out about Windows Autopilot deployment options for Surface devices. keywords: autopilot, windows 10, surface, deployment ms.prod: w10 @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro @@ -37,7 +37,7 @@ These Windows versions support a 4,000-byte (4k) hash value that uniquely identi ## Exchange experience on Surface devices in need of repair or replacement -Microsoft automatically checks every Surface for Autopilot enrollment and will deregister the device from the customer’s tenant. Microsoft ensures the replacement device is enrolled into Windows Autopilot once a replacement is shipped back to the customer. This service is available on all device exchange service orders directly with Microsoft. +Microsoft automatically checks every Surface for Autopilot enrollment and will deregister the device from the customer's tenant. Microsoft ensures the replacement device is enrolled into Windows Autopilot once a replacement is shipped back to the customer. This service is available on all device exchange service orders directly with Microsoft. > [!NOTE] > When customers use a Partner to return devices, the Partner is responsible for managing the exchange process including deregistering and enrolling devices into Windows Autopilot. @@ -48,17 +48,15 @@ Select Surface partners can enroll Surface devices in Windows Autopilot for you Surface partners that are enabled for Windows Autopilot include: -- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) -- [Atea](https://www.atea.com/) -- [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) -- [Cancom](https://www.cancom.de/) -- [CDW](https://www.cdw.com/) -- [Computacenter](https://www.computacenter.com/uk) -- [Connection](https://www.connection.com/brand/microsoft/microsoft-surface) -- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) -- [SHI](https://www.shi.com/Surface) -- [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/) -- [Techdata](https://www.techdata.com/) +| US partners | Global partners | US distributors | +|--------------|---------------|-------------------| +| * [CDW](https://www.cdw.com/) | * [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) | * [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/) | +| * [Connection](https://www.connection.com/brand/microsoft/microsoft-surface) | * [ATEA](https://www.atea.com/) | * [Techdata](https://www.techdata.com/) | +| * [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) | * [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) | * [Ingram](https://go.microsoft.com/fwlink/p/?LinkID=2128954) | +| * [SHI](https://www.shi.com/Surface) | * [Cancom](https://www.cancom.de/) | | +| * [LDI Connect](https://www.myldi.com/managed-it/) | * [Computacenter](https://www.computacenter.com/uk) | | +| * [F1](https://www.functiononeit.com/#empower) | | | +| * [Protected Trust](https://go.microsoft.com/fwlink/p/?LinkID=2129005) | | | ## Learn more diff --git a/devices/surface/windows-virtual-desktop-surface.md b/devices/surface/windows-virtual-desktop-surface.md new file mode 100644 index 0000000000..80434c8eb7 --- /dev/null +++ b/devices/surface/windows-virtual-desktop-surface.md @@ -0,0 +1,158 @@ +--- +title: Windows Virtual Desktop on Surface +description: This article explains how Surface devices deliver an ideal end node for Windows Virtual Desktop solutions, providing customers with flexible form factors, Windows 10 modern device security and manageability, and support for persistent, on-demand & just-in-time work scenarios. +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 5/20/2020 +ms.reviewer: rohenr +manager: laurawi +audience: itpro +--- + +# Windows Virtual Desktop on Surface + +## Introduction + +Windows Virtual Desktop on Surface lets you run Virtual Desktop Infrastructure (VDI) on a Surface device blurring the lines between the local desktop experience and the virtual desktop where touch, pen, ink, and biometric authentication span both physical and virtual environments. Representing another milestone in the evolution of computing, Windows Virtual Desktop on Surface 1 combines Microsoft 365 - virtualized in the Azure cloud - with the advanced security protections, enterprise-level manageability, and enhanced productivity tools of Windows 10 on Surface. This fusion of premium form factor and Virtual Desktop Infrastructure in Azure provides exceptional customer value across user experiences, portability, security, business continuity, and modern management. + +### Windows Virtual Desktop + +Windows Virtual Desktop (WVD) is a comprehensive desktop and app virtualization service running in the Azure cloud. It’s the only virtual desktop infrastructure that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. With WVD you can quickly deploy and scale Windows desktops and apps on Azure and get built-in security and compliance features. + +### Windows Virtual Desktop partner integrations + +For a list of approved partner providers and independent software vendors for Windows Virtual Desktop, see [Windows Virtual Desktop partner integrations](https://docs.microsoft.com/azure/virtual-desktop/partners). Some partners also provide Virtual Desktop as a Service (DaaS). DaaS frees you from having to maintain your own virtual machines (VMs) by providing a fully managed, turnkey desktop and virtualization service. The ability to deliver customized desktops to users anywhere in the world enables companies to quickly adjust to changing market conditions by spinning up cloud desktops on-demand - when and where they’re needed. + +## Microsoft Surface Devices + +Surface engineering has long set new standards for innovation by going beyond the keyboard and mouse to imagine more natural ways of interacting with devices, whether by touch, voice, ink, or Surface Dial. And with chip-to-cloud integration of Microsoft 365 and the security and manageability of Windows 10 Pro, Surface delivers connected hardware, software, apps, and services the way they were intended. Although it’s possible to run WVD from Windows devices dating back to Windows 7, Microsoft Surface devices provide unique advantages including support for: + +- **Flexible form factors** - like 2-in-1 devices such as Surface Go 2, Surface Pro 7 and Surface Pro X with pen, touch and detachable keyboard. +- **Persistent, on-demand and just-in-time work scenarios** - with offline and on-device access for more productive experiences. +- **Windows 10 modern device security and manageability** - providing the flexibility to be productive anywhere. + +## Flexible form factors and premium user experience + +The Microsoft Surface for Business family comprises a diverse portfolio of form factors including traditional laptops, all-in-one machines, and 2-in-1 devices. Surface devices deliver experiences people love with the choice and flexibility they need in order to work on their terms. + +### The modern virtual desktop endpoint + +Surface 2-in-1 devices, including [Surface Go 2](https://www.microsoft.com/p/surface-go-2) (10.5”), [Surface Pro 7](https://www.microsoft.com/surface/devices/surface-pro-7/) (12”) and [Surface Pro X](https://www.microsoft.com/p/surface-pro-x/) (13”), provide users with the ideal cloud desktop endpoint bringing together the optimal balance of portability, versatility, power, and all-day battery. From site engineers relying on Surface Go 2 in tablet mode to financial advisors attaching Surface Pro 7 to a dock and multiple monitors, 2-in-1 devices deliver the versatility that has come to define the modern workplace. + + Unlike traditional, fixed VDI “terminals”, Surface devices allow users to work from anywhere and enable companies to remain viable and operational during unforeseen events -- from severe weather to public health emergencies. With support for persistent, on-demand and just-in-time scenarios, Surface devices effectively help companies sustain ongoing operations and mitigate risk from disruptive events. Features designed to enhance productivity on Surface 2-in-1 devices include: + +- Vibrant, high resolution displays with 3:2 aspect ratio to get work done. +- Natural inking and multi-touch for more immersive experiences. +- With a wide variety of built-in and third-party accessibility features, Surface devices let you choose how to interact with your device, express ideas, and get work done. +- Far-field mics and high-performance speakers for improved virtual meetings. +- Biometric security including built-in, Windows Hello camera that comes standard on every Surface device. +- Long battery life 2 and fast charging. +- LTE options 3 on modern devices like Surface Pro X and Surface Go 2 for hassle-free and secure connectivity. +- Support for a wide range of peripherals such as standard printers, 3D printers, cameras, credit card readers, barcode scanners, and many others. A large ecosystem of Designed for Surface partners provides licensed and certified Surface accessories. +- Broad range of Device Redirection support. + +### Device Redirection Support + +The Surface-centric productivity experiences listed above become even more compelling in Windows Virtual Desktop environments by taking advantage of device redirection capabilities with Windows 10. Surface provides a broad range of device redirection support, especially when compared to OEM thin clients and fixed terminals, Android, iOS/macOS and Web-based access. The Windows Inbox (MSTSC) and Windows Desktop (MSRDC) clients provide the most device redirection capabilities including Input Redirection (keyboard, mouse, pen and touch), Port Redirection (serial and USB) and Other Redirections (cameras, clipboard, local drive/storage, location, microphones, printers, scanners, smart cards and speakers). For a detailed comparison of device redirection support refer to the [device redirection documentation](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#redirection-support). + +### Familiar Desktop Experience + +Not only does running the Windows Desktop Client on Surface devices provide users with a broad set of device redirection capabilities, it lets everyone launch apps in familiar ways — directly from the Start Menu or Search bar. + +### Persistent, on-demand and just-in-time work scenarios + +Windows Virtual Desktop on Surface helps customers meet increasingly complex business and security requirements across industries, employee roles, and work environments. These include: + +- Multi-layered security of access to data and organizational resources. +- Compliance with industry regulations. +- Support for an increasingly elastic workforce. +- Employee-specific needs across a variety of job functions. +- Ability to support specialized, processor-intensive workloads. +- Resilience for sustaining operations during disruptions. + +### Table 1. Windows Virtual Desktop business conversations + +| Security & regulation | Elastic workforce | Work Roles | Special workloads | Business continuity | +| ---------------------------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------------- | +| - Financial Services
- Healthcare
- Government | - Merger & acquisition
- Short term employees
- Contractors & partners | - BYOD & mobile
- Customer support/service
- Branch workers | - Design & engineering
- Support for legacy apps
- Software dev & test | - On demand
- Just-in-Time (JIT)
- Work @ Home | + +### Offline and on-device access for more productive experiences + +Traditionally, VDI solutions only work when the endpoint is connected to the internet. But what happens when the internet or power is unavailable for any reason (due to mobility, being on a plane, or power outages, and so on)? + +To support business continuity and keep employees productive, Surface devices can easily augment the virtual desktop experience with offline access to files, Microsoft 365 and third-party applications. Traditional apps like Microsoft Office, available across .x86, x64, Universal Windows Platform, ARM platforms, enable users to stay productive in “offline mode”. Files from the virtual desktop cloud environment can be synced locally on Surface using OneDrive for Business for offline access as well. You can have the confidence that all locally “cached” information is up-to-date and secure. + +In addition to adding support for offline access to apps and files, Surface devices are designed to optimize collaborative experiences like Microsoft Teams “On-Device”. Although some VDI solutions support the use of Teams through a virtual session, users can benefit from the more optimized experience provided by a locally installed instance of Teams. Localizing communications and collaboration apps for multimedia channels like voice, video, live captioning allows organizations to take full advantage of Surface devices’ ability to provide optimized Microsoft 365 experiences. The emergence of Surface artificial intelligence (AI) or “AI-on-device” brings new capabilities to life, such as eye gaze technology that adjusts the appearance of your eyes so the audience sees you looking directly at the camera when communicating via video. + +An alternative to locally installing traditional applications is to take advantage of the latest version of Microsoft Edge, which comes with support for Progressive Web Apps (PWA). PWAs are just websites that are progressively enhanced to function like native apps on supporting platforms. The qualities of a PWA combine the best of the web and native apps by additional features, such as push notifications, background data refresh, offline support, and more. + +### Virtual GPUs + +GPUs are ideal for AI compute and graphics-intensive workloads, helping customers to fuel innovation through scenarios like high-end remote visualization, deep learning, and predictive analytics. However, this isn’t ideal for professionals who need to work remotely or while on the go because varying degrees of internal GPU horsepower are tied to the physical devices, limiting mobility and flexibility. + +To solve for this Azure offers the N-series family of Virtual Machines with NVIDIA GPU capabilities (vGPU). With vGPUs, IT can either share GPU performance across multiple virtual machines, or power demanding workloads by assigning multiple GPUs to a single virtual machine. For Surface this means that no matter what device you’re using, from the highly portable Surface Go 2 to the slim and stylish Surface Laptop 3, your device has access to powerful server-class graphics performance. Surface and vGPUs allow you to combine all the things you love about Surface, to include pen, touch, keyboard, trackpad and PixelSense displays, with graphics capability only available in high performance computing environments. + +Azure N-series brings these capabilities to life on your Surface device allowing you to work in any way you want, wherever you go. [Learn more about Azure N-Series and GPU optimized virtual machine sizes.](https://docs.microsoft.com/azure/virtual-machines/sizes-gpu) + +## Microsoft 365 and Surface + +Even in a virtualized desktop environment, Microsoft 365 and Surface deliver the experiences employees love, the protection organizations demand, and flexibility for teams to work their way. According to Forrester Research: 4 + +- Microsoft 365-powered Surface devices give users up to 5 hours in weekly productivity gains with up to 9 hours saved per week for highly mobile workers, providing organizations with 112 percent ROI on Microsoft 365 with Surface +- 75 percent agree Microsoft 365-powered Surface devices help improve employee satisfaction and retention +- agree that Microsoft 365- powered Surface devices have helped improve employee satisfaction and retention. + +### Security and management + +From chip to cloud, Microsoft 365 and Surface helps organizations stay protected and up to date. +With both Surface hardware and software designed, built, and tested by Microsoft, users can be confident they’re productive and protected by leading technologies from chip to cloud. With increased numbers of users working remotely, protecting corporate data and intellectual property becomes more paramount than ever. Windows Virtual Desktop on Surface is designed around a zero-trust security model in which every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access. + +By maximizing efficiencies from cloud computing, modern management enables IT to better serve the needs of users, stakeholders and customers in an increasingly competitive business environment. For example, you can get Surface devices up-and-running with minimal interaction from your team. Setup is automatic and self-serviced. Updates are quick and painless for both your team and your users. You can manage devices regardless of their physical location. + +Security and management features delivered with Windows Virtual Desktop on Surface include: + +- **Windows Update.** Keeping Windows up to date helps you stay ahead of new security threats. Windows 10 has been engineered from the ground up to be more secure and utilize the latest hardware capabilities to improve security. With a purpose-built UEFI 5 and Windows Update for Business that responds to evolving threats, end-to-end protection is secure and simplified. + +- **Hardware encryption.** Device encryption lets you protect the data on your Surface so it can only be accessed by authorized individuals. All Surface for Business devices feature a discrete Trusted Platform Module (dTPM) that is hardware-protected against intrusion while software uses protected keys and measurements to verify software validity. +- **Windows Defender.** Windows Defender Antivirus brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices. The tool is built in and needs no extra agents to be deployed on-devices or in the VDI environment, simplifying management and optimizing device start up. Windows Defender is built in and needs no extra agents to be deployed on-device or in the VDI environment, simplifying management and optimizing device start up. The true out-of-the-box experience. +- **Removable drives** - A subset of newer Surface devices feature removable SSD drives 6 providing greater control over data retention. +- **Modern authentication -** Microsoft 365 and Surface is a unified platform delivering every Windows security feature (subject to licensing and enablement). All Surface portfolio devices ship with a custom-built camera, designed for Windows Hello for Business providing biometric security that persists seamlessly from on-device to VDI-based experiences. +- **Modern firmware management** -Using Device Firmware Configuration Interface (DFCI),7 IT administrators can remotely disable hardware elements at a firmware level such as mics, USB ports, SD card slots, cameras, and Bluetooth which removes power to the peripheral. Windows Defender Credential Guard uses virtualization-based security so that only privileged system software can access them. +- **Backward and forward compatibility** - Windows 10 devices provide backward and forward compatibility across hardware, software and services. Microsoft has a strong history of maintaining legacy support of hardware, peripherals, software and services while incorporating the latest technologies. Businesses can plan IT investments to have a long useful life. +- **Bridge for legacy Windows 7 workloads** - For solution scenarios dependent on legacy Windows OS environments, enterprises can use VDI instances of Windows 7 running in Azure. This enables support on modern devices like Surface without the risk of relying on older Windows 7 machines that no longer receive the latest security updates. In addition to these “future proofing” benefits, migration of any legacy workloads becomes greatly simplified when modern Windows 10 hardware is already deployed. +- **Zero-Touch Deployment** - Autopilot is the recommended modern management deployment option for Surface devices. Windows Autopilot on Surface is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot on Surface to remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a hardware hash. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management. + +### Surface devices: Minimizing environmental impacts + +Surface performs life cycle assessments to calculate the environmental impact of devices across key stages of product life cycle enabling Microsoft to minimize these impacts. Each Surface product has an ECO profile that includes details on greenhouse gas emissions, primary energy consumption and material composition data, packaging, recycling, and related criteria. To download profiles for each Surface device, see [ECO Profiles](https://www.microsoft.com/download/details.aspx?id=55974) on the Microsoft Download Center. + +## Summary + +Windows Virtual Desktop on Surface provides organizations with greater flexibility and resilience in meeting the diverse needs of users, stakeholders, and customers. Running Windows Virtual Desktop solutions on Surface devices provides unique advantages over continued reliance on legacy devices. Flexible form factors like Surface Go 2 and Surface Pro 7 connected to the cloud (or offline), enable users to be productive from anywhere, at any time. Whether employees work in persistent, on-demand, or just-in-time scenarios, Windows Virtual Desktop on Surface affords businesses with the versatility to sustain productivity throughout disruptions from public health emergencies or other unforeseen events. Using the built in, multi-layered security and modern manageability of Windows 10, companies can take advantage of an expanding ecosystem of cloud-based services to rapidly deploy and scale Windows desktops and apps. Simply put, Windows Virtual Desktop on Surface delivers critically needed technology to organizations and businesses of all sizes. + +## Learn more + +For more information, see the following resources: + +- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) +- [Surface for Business](https://www.microsoft.com/surface/business) +- [Modernize your workforce with Microsoft Surface](https://boards.microsoft.com/public/prism/103849?token=754435c36d) +- [A guide to Surface Technical Content and Solutions](https://boards.microsoft.com/public/prism/104362/category/90968?token=09e688ec4a) +- [Microsoft zero-trust security](https://www.microsoft.com/security/business/zero-trust) + + +---------- + +1. Windows Virtual Desktop on Surface refers to running Azure Virtual Desktop Infrastructure on a Surface device and is described here as an architectural solution, not a separately available product.
+2. Battery life varies significantly with settings, usage and other factors.
+3. Service availability and performance subject to service provider’s network. Contact your service provider for details, compatibility, pricing, SIM card, and activation. See all specs and frequencies at surface.com.
+4. Forrester Consulting, “A Forrester Total Economic Impact™ Study: Maximizing Your ROI from Microsoft 365 Enterprise with Microsoft Surface,” commissioned by Microsoft, 2018.
+5. Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. Find out more about managing Surface UEFI settings.
+6. Removable SSD is available on Surface Laptop 3 and Surface Pro X. Note that hard drive is not user removable. Hard drive is only removable a by skilled technician following Microsoft instructions.
+7. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. [Find out more](https://docs.microsoft.com/surface/manage-surface-uefi-settings) about managing Surface UEFI settings. + diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index e74ce568f1..8ba6fec5bb 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -64,7 +64,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo **To trigger Autopilot Reset** -1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**. +1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**. ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 688b66c92b..71f603bec9 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -9,7 +9,7 @@ ms.pagetype: edu ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 08/31/2017 +ms.date: ms.reviewer: manager: dansimp --- @@ -32,7 +32,7 @@ In Windows 10, version 1703 (Creators Update), it is straightforward to configur | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set | | **Cortana** | **AllowCortana** | Disables Cortana

* Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set | -| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | +| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | | **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

* Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set | @@ -150,34 +150,10 @@ For example: ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png) ## Ad-free search with Bing -Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at https://www.bing.com/classroom/about-us. - -> [!NOTE] -> If you enable the guest account in shared PC mode, students using the guest account will not have an ad-free experience searching with Bing in Microsoft Edge unless the PC is connected to your school network and your school network has been configured as described in [IP registration for entire school network using Microsoft Edge](#ip-registration-for-entire-school-network-using-microsoft-edge). +Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. ### Configurations -#### IP registration for entire school network using Microsoft Edge -Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bingintheclassroom@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email. - -**District information** -- **District or School Name:** -- **Outbound IP Addresses (IP Range + CIDR):** -- **Address:** -- **City:** -- **State Abbreviation:** -- **Zip Code:** - -**Registrant information** -- **First Name:** -- **Last Name:** -- **Job Title:** -- **Email Address:** -- **Opt-In for Email Announcements?:** -- **Phone Number:** - -This will suppress ads when searching with Bing on Microsoft Edge when the PC is connected to the school network. - #### Azure AD and Office 365 Education tenant To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps: @@ -185,6 +161,8 @@ To suppress ads when searching with Bing on Microsoft Edge on any network, follo 2. Domain join the Windows 10 PCs to your Azure AD tenant (this is the same as your Office 365 tenant). 3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic. 4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC. +> [!NOTE] +> If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time. #### Office 365 sign-in to Bing To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps: @@ -192,8 +170,6 @@ To suppress ads only when the student signs into Bing with their Office 365 acco 1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic. 2. Have students sign into Bing with their Office 365 account. -### More information -For more information on all the possible Bing configuration methods, see https://aka.ms/e4ahor. ## Related topics [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index c081cfa696..280778ccb4 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -558,16 +558,16 @@ Complete the following steps to select the appropriate Office 365 Education lice 1. Determine the number of faculty members and students who will use the classroom. Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan. -2. Determine the faculty members and students who need to install Microsoft Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 8 lists the advantages and disadvantages of standard and Office 365 ProPlus plans. +2. Determine the faculty members and students who need to install Microsoft Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Microsoft 365 Apps for enterprise plans). Table 8 lists the advantages and disadvantages of standard and Microsoft 365 Apps for enterprise plans. |Plan |Advantages |Disadvantages | |----- |----------- |------------- | - |Office 365 Education |
  • Less expensive than Office 365 ProPlus
  • Can be run from any device
  • No installation necessary
|
  • Must have an Internet connection to use it
  • Does not support all the features found in Office 365 ProPlus
| - |Office 365 ProPlus |
  • Only requires an Internet connection every 30 days (for activation)
  • Supports the full set of Office features
  • Can be installed on five devices per user (there is no limit to the number of devices on which you can run Office apps online)
|
  • Requires installation
  • More expensive than Office 365 Education
| + |Office 365 Education |
  • Less expensive than Microsoft 365 Apps for enterprise
  • Can be run from any device
  • No installation necessary
|
  • Must have an Internet connection to use it
  • Does not support all the features found in Microsoft 365 Apps for enterprise
| + |Microsoft 365 Apps for enterprise |
  • Only requires an Internet connection every 30 days (for activation)
  • Supports the full set of Office features
  • Can be installed on five devices per user (there is no limit to the number of devices on which you can run Office apps online)
|
  • Requires installation
  • More expensive than Office 365 Education
| - *Table 8. Comparison of standard and Office 365 ProPlus plans* + *Table 8. Comparison of standard and Microsoft 365 Apps for enterprise plans* - The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device. + The best user experience is to run Microsoft 365 Apps for enterprise or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device. 3. Determine whether students or faculty need Azure Rights Management. @@ -1259,7 +1259,7 @@ Your MDT deployment share and Microsoft Endpoint Configuration Manager are now r ## Capture the reference image -The reference device is a device that you use as the template for all the other devices in your district. On this device, you install any Windows desktop apps the classroom needs. For example, install the Windows desktop apps for Office 365 ProPlus if you selected that student license plan. +The reference device is a device that you use as the template for all the other devices in your district. On this device, you install any Windows desktop apps the classroom needs. For example, install the Windows desktop apps for Microsoft 365 Apps for enterprise if you selected that student license plan. After you deploy Windows 10 and the desktop apps to the reference device, you capture an image of the device (the reference image). You import the reference image to an MDT deployment share or into Configuration Manager. Finally, you create a task sequence to deploy the reference image to faculty and student devices. diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index f582026716..5631f3e6ab 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -173,9 +173,9 @@ Complete the following steps to select the appropriate Office 365 Education lice
  1. Determine the number of faculty members and students who will use the classroom.
    Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
    2. -
  2. Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
    3. +
  3. Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Microsoft 365 Apps for enterprise plans). Table 1 lists the advantages and disadvantages of standard and Microsoft 365 Apps for enterprise plans.

    4. -Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans +Table 1. Comparison of standard and Microsoft Microsoft 365 Apps for enterprise plans
    @@ -191,13 +191,13 @@ Complete the following steps to select the appropriate Office 365 Education lice - +
    Standard
    • Less expensive than Office 365 ProPlus
    • Can be run from any device
    • No installation necessary
    • Must have an Internet connection to use it
    • Does not support all the features found in Office 365 ProPlus
    Standard
    • Less expensive than Microsoft 365 Apps for enterprise
    • Can be run from any device
    • No installation necessary
    • Must have an Internet connection to use it
    • Does not support all the features found in Microsoft 365 Apps for enterprise
    Office ProPlus
    • Only requires an Internet connection every 30 days (for activation)
    • Supports full set of Office features
    • Requires installation
    • Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)

    -The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device. +The best user experience is to run Microsoft 365 Apps for enterprise or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
  4. Determine whether students or faculty need Azure Rights Management.
    You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see Azure Rights Management.
  5. Record the Office 365 Education license plans needed for the classroom in Table 2.

    @@ -506,7 +506,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not **Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. -For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). +For information about creating security groups, see [Create and manage Microsoft 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). You can add and remove users from security groups at any time. @@ -520,7 +520,7 @@ You can create email distribution groups based on job role (such as teachers, ad **Note**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. -For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). +For information about how to create security groups, see [Create and manage Microsoft 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). ### Summary diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 3149237ba1..de941be3c6 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -83,7 +83,7 @@ Applies to: IT admins Self-service sign up makes it easier for teachers and students in your organization to get started with **Minecraft: Education Edition**. If you have self-service sign up enabled in your tenant, teachers can assign **Minecraft: Education Edition** to students before they have a work or school account. Students receive an email that steps them through the process of signing up for a work or school account. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US). ### Domain verification -For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Office 365 portal. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US). +For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Microsoft 365 admin center. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US). ## Acquire apps Applies to: IT admins and teachers diff --git a/education/windows/images/edu-districtdeploy-fig1.png b/education/windows/images/edu-districtdeploy-fig1.png index a9ed962f95..9e9cd6c238 100644 Binary files a/education/windows/images/edu-districtdeploy-fig1.png and b/education/windows/images/edu-districtdeploy-fig1.png differ diff --git a/education/windows/images/edu-districtdeploy-fig2.png b/education/windows/images/edu-districtdeploy-fig2.png index 3838c18153..dfa00a0132 100644 Binary files a/education/windows/images/edu-districtdeploy-fig2.png and b/education/windows/images/edu-districtdeploy-fig2.png differ diff --git a/education/windows/images/edu-districtdeploy-fig4.png b/education/windows/images/edu-districtdeploy-fig4.png index c55ee20d47..ca07e5a968 100644 Binary files a/education/windows/images/edu-districtdeploy-fig4.png and b/education/windows/images/edu-districtdeploy-fig4.png differ diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index 7d74f93c5d..fe8d0d640e 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -21,7 +21,7 @@ Learn what’s new with the Set up School PCs app each week. Find out about new ## Week of September 23, 2019 ### Easier way to deploy Office 365 to your classroom devices - Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Office 365 ProPlus. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams. + Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams. ## Week of June 24, 2019 diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 501e3f3249..136499ee4c 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -93,7 +93,7 @@ Enter email addresses for your students, and each student will get an email with ![Assign to people showing student name](images/minecraft-assign-to-people-name.png) You can assign the app to students with work or school accounts.
    - If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Office 365 portal where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. + If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. **To finish Minecraft install (for students)** diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md index 09c8b0842f..5d7e251bfa 100644 --- a/mdop/appv-v5/app-v-51-supported-configurations.md +++ b/mdop/appv-v5/app-v-51-supported-configurations.md @@ -10,18 +10,18 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 09/27/2016 +ms.date: 04/02/2020 --- # App-V 5.1 Supported Configurations +>Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update) This topic specifies the requirements to install and run Microsoft Application Virtualization (App-V) 5.1 in your environment. ## App-V Server system requirements - This section lists the operating system and hardware requirements for all of the App-V Server components. ### Unsupported App-V 5.1 Server scenarios @@ -42,48 +42,16 @@ The App-V 5.1 Server does not support the following scenarios: The following table lists the operating systems that are supported for the App-V 5.1 Management server installation. -**Note**   -Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). See [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976) for more information. - - - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Operating systemService PackSystem architecture

    Microsoft Windows Server 2016

    64-bit

    Microsoft Windows Server 2012 R2

    64-bit

    Microsoft Windows Server 2012

    64-bit

    Microsoft Windows Server 2008 R2

    SP1

    64-bit

    +> [!NOTE] +> Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). See [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976) for more information. + | Operating System | Service Pack | System Architecture | +|----------------------------------|--------------|---------------------| +| Microsoft Windows Server 2019 | | 64-bit | +| Microsoft Windows Server 2016 | | 64-bit | +| Microsoft Windows Server 2012 R2 | | 64-bit | +| Microsoft Windows Server 2012 | | 64-bit | +| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates)| SP1 | 64-bit | **Important**   @@ -157,44 +125,13 @@ For more information on user configuration files with SQL server 2016 or later, The following table lists the operating systems that are supported for the App-V 5.1 Publishing server installation. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Operating systemService PackSystem architecture

    Microsoft Windows Server 2016

    64-bit

    Microsoft Windows Server 2012 R2

    64-bit

    Microsoft Windows Server 2012

    64-bit

    Microsoft Windows Server 2008 R2

    SP1

    64-bit

    - - +| Operating System | Service Pack | System Architecture | +|----------------------------------|--------------|---------------------| +| Microsoft Windows Server 2019 | | 64-bit | +| Microsoft Windows Server 2016 | | 64-bit | +| Microsoft Windows Server 2012 R2 | | 64-bit | +| Microsoft Windows Server 2012 | | 64-bit | +| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates) | SP1 | 64-bit | ### Publishing server hardware requirements @@ -210,44 +147,13 @@ App-V adds no additional requirements beyond those of Windows Server. The following table lists the operating systems that are supported for the App-V 5.1 Reporting server installation. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Operating systemService PackSystem architecture

    Microsoft Windows Server 2016

    64-bit

    Microsoft Windows Server 2012 R2

    64-bit

    Microsoft Windows Server 2012

    64-bit

    Microsoft Windows Server 2008 R2

    SP1

    64-bit

    - - +| Operating System | Service Pack | System Architecture | +|----------------------------------|--------------|---------------------| +| Microsoft Windows Server 2019 | | 64-bit | +| Microsoft Windows Server 2016 | | 64-bit | +| Microsoft Windows Server 2012 R2 | | 64-bit | +| Microsoft Windows Server 2012 | | 64-bit | +| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates) | SP1 | 64-bit | ### Reporting server hardware requirements @@ -309,10 +215,10 @@ The following table lists the SQL Server versions that are supported for the App ## App-V client system requirements - The following table lists the operating systems that are supported for the App-V 5.1 client installation. -**Note:** With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client +> [!NOTE] +> With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client @@ -371,44 +277,13 @@ The following list displays the supported hardware configuration for the App-V 5 The following table lists the operating systems that are supported for App-V 5.1 Remote Desktop Services (RDS) client installation. -
    ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Operating systemService PackSystem architecture

    Microsoft Windows Server 2016

    64-bit

    Microsoft Windows Server 2012 R2

    64-bit

    Microsoft Windows Server 2012

    64-bit

    Microsoft Windows Server 2008 R2

    SP1

    64-bit

    - - +| Operating System | Service Pack | System Architecture | +|----------------------------------|--------------|---------------------| +| Microsoft Windows Server 2019 | | 64-bit | +| Microsoft Windows Server 2016 | | 64-bit | +| Microsoft Windows Server 2012 R2 | | 64-bit | +| Microsoft Windows Server 2012 | | 64-bit | +| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates) | SP1 | 64-bit | ### Remote Desktop Services client hardware requirements @@ -422,62 +297,18 @@ App-V adds no additional requirements beyond those of Windows Server. ## Sequencer system requirements - The following table lists the operating systems that are supported for the App-V 5.1 Sequencer installation. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Operating systemService packSystem architecture

    Microsoft Windows Server 2016

    64-bit

    Microsoft Windows Server 2012 R2

    64-bit

    Microsoft Windows Server 2012

    64-bit

    Microsoft Windows Server 2008 R2

    SP1

    64-bit

    Microsoft Windows 10

    32-bit and 64-bit

    Microsoft Windows 8.1

    32-bit and 64-bit

    Microsoft Windows 7

    SP1

    32-bit and 64-bit

    - - +| Operating System | Service Pack | System Architecture | +|----------------------------------|--------------|---------------------| +| Microsoft Windows Server 2019 | | 64-bit | +| Microsoft Windows Server 2016 | | 64-bit | +| Microsoft Windows Server 2012 R2 | | 64-bit | +| Microsoft Windows Server 2012 | | 64-bit | +| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates) | SP1 | 64-bit | +| Microsoft Windows 10 | | 32-bit and 64-bit | +| Microsoft Windows 8.1 | | 32-bit and 64-bit | +| Microsoft Windows 7 | SP1 | 32-bit and 64-bit | ### Sequencer hardware requirements @@ -485,7 +316,6 @@ See the Windows or Windows Server documentation for the hardware requirements. A ## Supported versions of System Center Configuration Manager - The App-V client supports the following versions of System Center Configuration Manager: - Microsoft System Center 2012 Configuration Manager @@ -496,7 +326,8 @@ The App-V client supports the following versions of System Center Configuration The following App-V and System Center Configuration Manager version matrix shows all officially supported combinations of App-V and Configuration Manager. -**Note:** Both App-V 4.5 and 4.6 have exited Mainstream support. +> [!NOTE] +> Both App-V 4.5 and 4.6 have exited Mainstream support. @@ -549,23 +380,8 @@ The following App-V and System Center Configuration Manager version matrix shows For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx). - - - - - ## Related topics - [Planning to Deploy App-V](planning-to-deploy-app-v51.md) [App-V 5.1 Prerequisites](app-v-51-prerequisites.md) - - - - - - - - - diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index c781eb4fea..a2dc196c47 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -20,7 +20,7 @@ ms.date: 06/16/2016 After you have properly deployed the Microsoft Application Virtualization (App-V) 5.1 sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. **Note**   -For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). +For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx). **Note** The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md index 6ac193ddbc..ec3642bc65 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md @@ -101,7 +101,7 @@ Before you deploy Office by using App-V, review the following requirements. @@ -640,7 +640,7 @@ Use the steps in this section to enable Office plug-ins with your Office package 1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet. -2. Sequence your plug-ins using the App-V 5.0 Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins. +2. Sequence your plug-ins using the App-V 5.0 Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Microsoft 365 Apps for enterprise(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins. 3. Create an App-V 5.0 package that includes the desired plug-ins. diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md index 2e781bfa2b..3c08f56eaf 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md @@ -100,7 +100,7 @@ Before you deploy Office by using App-V, review the following requirements. @@ -648,7 +648,7 @@ Use the steps in this section to enable Office plug-ins with your Office package 1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet. -2. Sequence your plug-ins using the App-V 5.1 Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins. +2. Sequence your plug-ins using the App-V 5.1 Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Microsoft 365 Apps for enterprise(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins. 3. Create an App-V 5.1 package that includes the desired plug-ins. diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md index f66484192f..2856f34f5d 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md @@ -102,7 +102,7 @@ Before you deploy Office by using App-V, review the following requirements. @@ -293,7 +293,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc - + @@ -348,7 +348,7 @@ After you download the Office 2016 applications through the Office Deployment To The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make. ->**Note**  You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. +>**Note**  You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.

    Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:

      -

    • Office 365 ProPlus

      • +

    • Microsoft 365 Apps for enterprise

    • Visio Pro for Office 365

    • Project Pro for Office 365

    Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:

      -

    • Office 365 ProPlus

      • +

    • Microsoft 365 Apps for enterprise

    • Visio Pro for Office 365

    • Project Pro for Office 365

    Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:

      -

    • Office 365 ProPlus

      • +

    • Microsoft 365 Apps for enterprise

    • Visio Pro for Office 365

    • Project Pro for Office 365

    Channel (attribute of Add element)

    Optional. Specifies the update channel for the product that you want to download or install.

    For more information about update channels, see Overview of update channels for Office 365 ProPlus.

    Optional. Specifies the update channel for the product that you want to download or install.

    For more information about update channels, see Overview of update channels for Microsoft 365 Apps for enterprise.

    Channel="Deferred"
    @@ -588,7 +588,7 @@ Use the steps in this section to enable Office plug-ins with your Office package 1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet. -2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. +2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Microsoft 365 Apps for enterprise(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. 3. Create an App-V package that includes the desired plug-ins. diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md index 317e8df4e7..6d6021c95e 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md @@ -102,7 +102,7 @@ Before you deploy Office by using App-V, review the following requirements. @@ -293,7 +293,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc - + @@ -348,7 +348,7 @@ After you download the Office 2016 applications through the Office Deployment To The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make. ->**Note**  You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. +>**Note**  You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.

    Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:

      -

    • Office 365 ProPlus

      • +

    • Microsoft 365 Apps for enterprise

    • Visio Pro for Office 365

    • Project Pro for Office 365

    Branch (attribute of Add element)

    Optional. Specifies the update branch for the product that you want to download or install.

    For more information about update branches, see Overview of update branches for Office 365 ProPlus.

    Optional. Specifies the update branch for the product that you want to download or install.

    For more information about update branches, see Overview of update branches for Microsoft 365 Apps for enterprise.

    Branch = "Business"
    @@ -588,7 +588,7 @@ Use the steps in this section to enable Office plug-ins with your Office package 1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet. -2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. +2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Microsoft 365 Apps for enterprise(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. 3. Create an App-V package that includes the desired plug-ins. diff --git a/mdop/appv-v5/deploying-the-app-v-51-server.md b/mdop/appv-v5/deploying-the-app-v-51-server.md index 10380a684e..ddfa7f25d1 100644 --- a/mdop/appv-v5/deploying-the-app-v-51-server.md +++ b/mdop/appv-v5/deploying-the-app-v-51-server.md @@ -13,37 +13,27 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # Deploying the App-V 5.1 Server - You can install the Microsoft Application Virtualization (App-V) 5.1 server features by using different deployment configurations, which described in this topic. Before you install the server features, review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md). For information about deploying the App-V Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51). -**Important**   -Before you install and configure the App-V 5.1 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings. - - +> [!IMPORTANT] +> Before you install and configure the App-V 5.1 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings. ## App-V 5.1 Server overview - The App-V 5.1 Server is made up of five components. Each component serves a different purpose within the App-V 5.1 environment. Each of the five components is briefly described here: -- Management Server – provides overall management functionality for the App-V 5.1 infrastructure. - -- Management Database – facilitates database predeployments for App-V 5.1 management. - -- Publishing Server – provides hosting and streaming functionality for virtual applications. - -- Reporting Server – provides App-V 5.1 reporting services. - -- Reporting Database – facilitates database predeployments for App-V 5.1 reporting. +- Management Server – provides overall management functionality for the App-V 5.1 infrastructure. +- Management Database – facilitates database predeployments for App-V 5.1 management. +- Publishing Server – provides hosting and streaming functionality for virtual applications. +- Reporting Server – provides App-V 5.1 reporting services. +- Reporting Database – facilitates database predeployments for App-V 5.1 reporting. ## App-V 5.1 stand-alone deployment - The App-V 5.1 standalone deployment provides a good topology for a small deployment or a test environment. When you use this type of implementation, all server components are deployed to a single computer. The services and associated databases will compete for the resources on the computer that runs the App-V 5.1 components. Therefore, you should not use this topology for larger deployments. [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md) @@ -52,7 +42,6 @@ The App-V 5.1 standalone deployment provides a good topology for a small deploym ## App-V 5.1 Server distributed deployment - The distributed deployment topology can support a large App-V 5.1 client base and it allows you to more easily manage and scale your environment. When you use this type of deployment, the App-V 5.1 Server components are deployed across multiple computers, based on the structure and requirements of the organization. [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md) @@ -67,19 +56,15 @@ The distributed deployment topology can support a large App-V 5.1 client base an ## Using an Enterprise Software Distribution (ESD) solution and App-V 5.1 - You can also deploy the App-V 5.1 clients and packages by using an ESD without having to deploy App-V 5.1. The full capabilities for integration will vary depending on the ESD that you use. -**Note**   -The App-V 5.1 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.1 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality. - - +> [!NOTE] +> The App-V 5.1 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.1 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality. [Deploying App-V 5.1 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md) ## App-V 5.1 Server logs - You can use App-V 5.1 server log information to help troubleshoot the server installation and operational events while using App-V 5.1. The server-related log information can be reviewed with the **Event Viewer**. The following line displays the specific path for Server-related events: **Event Viewer \\ Applications and Services Logs \\ Microsoft \\ App V** @@ -92,14 +77,11 @@ In App-V 5.0 SP3, some logs were consolidated and moved. See [About App-V 5.0 SP ## App-V 5.1 reporting - App-V 5.1 reporting allows App-V 5.1 clients to collect data and then send it back to be stored in a central repository. You can use this information to get a better view of the virtual application usage within your organization. The following list displays some of the types of information the App-V 5.1 client collects: -- Information about the computer that runs the App-V 5.1 client. - -- Information about virtualized packages on a specific computer that runs the App-V 5.1 client. - -- Information about package open and shutdown for a specific user. +- Information about the computer that runs the App-V 5.1 client. +- Information about virtualized packages on a specific computer that runs the App-V 5.1 client. +- Information about package open and shutdown for a specific user. The reporting information will be maintained until it is successfully sent to the reporting server database. After the data is in the database, you can use Microsoft SQL Server Reporting Services to generate any necessary reports. @@ -111,19 +93,4 @@ Use the following link for more information [About App-V 5.1 Reporting](about-ap ## Other resources for the App-V server - [Deploying App-V 5.1](deploying-app-v-51.md) - - - - - - - - - - - - - - diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md index e3c13b3c79..5a39bf03ab 100644 --- a/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md +++ b/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md @@ -10,787 +10,371 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 06/16/2016 +ms.date: 03/20/2020 --- - # How to Deploy the App-V 5.1 Server Using a Script - In order to complete the **appv\_server\_setup.exe** Server setup successfully using the command line, you must specify and combine multiple parameters. -**To Install the App-V 5.1 server using a script** - -- Use the following tables for more information about installing the App-V 5.1 server using the command line. - - **Note** - The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**. - - - -~~~ -**Common parameters and Examples** - -
    ---- - - - - - - -

    To Install the Management server and Management database on a local machine.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /MANAGEMENT_SERVER

      • -

    • /MANAGEMENT_ADMINACCOUNT

      • -

    • /MANAGEMENT_WEBSITE_NAME

      • -

    • /MANAGEMENT_WEBSITE_PORT

      • -

    • /DB_PREDEPLOY_MANAGEMENT

      • -

    • /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /MANAGEMENT_DB_NAME

      • -
    -

    To use a custom instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /MANAGEMENT_SERVER

      • -

    • /MANAGEMENT_ADMINACCOUNT

      • -

    • /MANAGEMENT_WEBSITE_NAME

      • -

    • /MANAGEMENT_WEBSITE_PORT

      • -

    • /DB_PREDEPLOY_MANAGEMENT

      • -

    • /MANAGEMENT_DB_CUSTOM_SQLINSTANCE

      • -

    • /MANAGEMENT_DB_NAME

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /MANAGEMENT_SERVER

    -

    /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”

    -

    /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”

    -

    /MANAGEMENT_WEBSITE_PORT=”8080”

    -

    /DB_PREDEPLOY_MANAGEMENT

    -

    /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”

    -

    /MANAGEMENT_DB_NAME=”AppVManagement”

    - - - - ---- - - - - - - -

    To Install the Management server using an existing Management database on a local machine.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /MANAGEMENT_SERVER

      • -

    • /MANAGEMENT_ADMINACCOUNT

      • -

    • /MANAGEMENT_WEBSITE_NAME

      • -

    • /MANAGEMENT_WEBSITE_PORT

      • -

    • /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL

      • -

    • /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /EXISTING_MANAGEMENT_DB_NAME

      • -
    -

    To use a custom instance of Microsoft SQL Server, use these parameters:

    -
      -

    • /MANAGEMENT_SERVER

      • -

    • /MANAGEMENT_ADMINACCOUNT

      • -

    • /MANAGEMENT_WEBSITE_NAME

      • -

    • /MANAGEMENT_WEBSITE_PORT

      • -

    • /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL

      • -

    • /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE

      • -

    • /EXISTING_MANAGEMENT_DB_NAME

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /MANAGEMENT_SERVER

    -

    /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”

    -

    /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”

    -

    /MANAGEMENT_WEBSITE_PORT=”8080”

    -

    /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL

    -

    /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”

    -

    /EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”

    - - - - ---- - - - - - - -

    To install the Management server using an existing Management database on a remote machine.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /MANAGEMENT_SERVER

      • -

    • /MANAGEMENT_ADMINACCOUNT

      • -

    • /MANAGEMENT_WEBSITE_NAME

      • -

    • /MANAGEMENT_WEBSITE_PORT

      • -

    • /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME

      • -

    • /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /EXISTING_MANAGEMENT_DB_NAME

      • -
    -

    To use a custom instance of Microsoft SQL Server, use these parameters:

    -
      -

    • /MANAGEMENT_SERVER

      • -

    • /MANAGEMENT_ADMINACCOUNT

      • -

    • /MANAGEMENT_WEBSITE_NAME

      • -

    • /MANAGEMENT_WEBSITE_PORT

      • -

    • /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME

      • -

    • /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE

      • -

    • /EXISTING_MANAGEMENT_DB_NAME

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /MANAGEMENT_SERVER

    -

    /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”

    -

    /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”

    -

    /MANAGEMENT_WEBSITE_PORT=”8080”

    -

    /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME=”SqlServermachine.domainName”

    -

    /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”

    -

    /EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”

    - - - - ---- - - - - - - -

    To Install the Management database and the Management Server on the same computer.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /DB_PREDEPLOY_MANAGEMENT

      • -

    • /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /MANAGEMENT_DB_NAME

      • -

    • /MANAGEMENT_SERVER_MACHINE_USE_LOCAL

      • -

    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT

      • -
    -

    To use a custom instance of Microsoft SQL Server, use these parameters:

    -
      -

    • /DB_PREDEPLOY_MANAGEMENT

      • -

    • /MANAGEMENT_DB_CUSTOM_SQLINSTANCE

      • -

    • /MANAGEMENT_DB_NAME

      • -

    • /MANAGEMENT_SERVER_MACHINE_USE_LOCAL

      • -

    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /DB_PREDEPLOY_MANAGEMENT

    -

    /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”

    -

    /MANAGEMENT_DB_NAME=”AppVManagement”

    -

    /MANAGEMENT_SERVER_MACHINE_USE_LOCAL

    -

    /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”

    - - - - ---- - - - - - - -

    To install the Management database on a different computer than the Management server.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /DB_PREDEPLOY_MANAGEMENT

      • -

    • /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /MANAGEMENT_DB_NAME

      • -

    • /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT

      • -

    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT

      • -
    -

    To use a custom instance of Microsoft SQL Server, use these parameters:

    -
      -

    • /DB_PREDEPLOY_MANAGEMENT

      • -

    • /MANAGEMENT_DB_CUSTOM_SQLINSTANCE

      • -

    • /MANAGEMENT_DB_NAME

      • -

    • /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT

      • -

    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /DB_PREDEPLOY_MANAGEMENT

    -

    /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”

    -

    /MANAGEMENT_DB_NAME=”AppVManagement”

    -

    /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”

    -

    /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”

    - - - - ---- - - - - - - -

    To Install the publishing server.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /PUBLISHING_SERVER

      • -

    • /PUBLISHING_MGT_SERVER

      • -

    • /PUBLISHING_WEBSITE_NAME

      • -

    • /PUBLISHING_WEBSITE_PORT

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /PUBLISHING_SERVER

    -

    /PUBLISHING_MGT_SERVER=”http://ManagementServerName:ManagementPort”

    -

    /PUBLISHING_WEBSITE_NAME=”Microsoft AppV Publishing Service”

    -

    /PUBLISHING_WEBSITE_PORT=”8081”

    - - - - ---- - - - - - - -

    To Install the Reporting server and Reporting database on a local machine.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /REPORTING _SERVER

      • -

    • /REPORTING _WEBSITE_NAME

      • -

    • /REPORTING _WEBSITE_PORT

      • -

    • /DB_PREDEPLOY_REPORTING

      • -

    • /REPORTING _DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /REPORTING _DB_NAME

      • -
    -

    To use a custom instance of Microsoft SQL Server, use these parameters:

    -
      -

    • /REPORTING _SERVER

      • -

    • /REPORTING _ADMINACCOUNT

      • -

    • /REPORTING _WEBSITE_NAME

      • -

    • /REPORTING _WEBSITE_PORT

      • -

    • /DB_PREDEPLOY_REPORTING

      • -

    • /REPORTING _DB_CUSTOM_SQLINSTANCE

      • -

    • /REPORTING _DB_NAME

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -
      -

    • /appv_server_setup.exe /QUIET

      • -

    • /REPORTING_SERVER

      • -

    • /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”

      • -

    • /REPORTING_WEBSITE_PORT=”8082”

      • -

    • /DB_PREDEPLOY_REPORTING

      • -

    • /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”

      • -

    • /REPORTING_DB_NAME=”AppVReporting”

      • -
    - - - - ---- - - - - - - -

    To Install the Reporting server and using an existing Reporting database on a local machine.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /REPORTING _SERVER

      • -

    • /REPORTING _WEBSITE_NAME

      • -

    • /REPORTING _WEBSITE_PORT

      • -

    • /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL

      • -

    • /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /EXISTING_REPORTING _DB_NAME

      • -
    -

    To use a custom instance of Microsoft SQL Server, use these parameters:

    -
      -

    • /REPORTING _SERVER

      • -

    • /REPORTING _ADMINACCOUNT

      • -

    • /REPORTING _WEBSITE_NAME

      • -

    • /REPORTING _WEBSITE_PORT

      • -

    • /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL

      • -

    • /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE

      • -

    • /EXISTING_REPORTING _DB_NAME

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /REPORTING_SERVER

    -

    /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”

    -

    /REPORTING_WEBSITE_PORT=”8082”

    -

    /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL

    -

    /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”

    -

    /EXITING_REPORTING_DB_NAME=”AppVReporting”

    - - - - ---- - - - - - - -

    To Install the Reporting server using an existing Reporting database on a remote machine.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /REPORTING _SERVER

      • -

    • /REPORTING _WEBSITE_NAME

      • -

    • /REPORTING _WEBSITE_PORT

      • -

    • /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME

      • -

    • /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /EXISTING_REPORTING _DB_NAME

      • -
    -

    To use a custom instance of Microsoft SQL Server, use these parameters:

    -
      -

    • /REPORTING _SERVER

      • -

    • /REPORTING _ADMINACCOUNT

      • -

    • /REPORTING _WEBSITE_NAME

      • -

    • /REPORTING _WEBSITE_PORT

      • -

    • /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME

      • -

    • /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE

      • -

    • /EXISTING_REPORTING _DB_NAME

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /REPORTING_SERVER

    -

    /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”

    -

    /REPORTING_WEBSITE_PORT=”8082”

    -

    /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME=”SqlServerMachine.DomainName”

    -

    /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”

    -

    /EXITING_REPORTING_DB_NAME=”AppVReporting”

    - - - - ---- - - - - - - -

    To install the Reporting database on the same computer as the Reporting server.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /DB_PREDEPLOY_REPORTING

      • -

    • /REPORTING _DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /REPORTING _DB_NAME

      • -

    • /REPORTING_SERVER_MACHINE_USE_LOCAL

      • -

    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT

      • -
    -

    To use a custom instance of Microsoft SQL Server, use these parameters:

    -
      -

    • /DB_PREDEPLOY_REPORTING

      • -

    • /REPORTING _DB_CUSTOM_SQLINSTANCE

      • -

    • /REPORTING _DB_NAME

      • -

    • /REPORTING_SERVER_MACHINE_USE_LOCAL

      • -

    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /DB_PREDEPLOY_REPORTING

    -

    /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”

    -

    /REPORTING_DB_NAME=”AppVReporting”

    -

    /REPORTING_SERVER_MACHINE_USE_LOCAL

    -

    /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”

    - - - - ---- - - - - - - -

    To install the Reporting database on a different computer than the Reporting server.

    To use the default instance of Microsoft SQL Server, use the following parameters:

    -
      -

    • /DB_PREDEPLOY_REPORTING

      • -

    • /REPORTING _DB_SQLINSTANCE_USE_DEFAULT

      • -

    • /REPORTING _DB_NAME

      • -

    • /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT

      • -

    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT

      • -
    -

    To use a custom instance of Microsoft SQL Server, use these parameters:

    -
      -

    • /DB_PREDEPLOY_REPORTING

      • -

    • /REPORTING _DB_CUSTOM_SQLINSTANCE

      • -

    • /REPORTING _DB_NAME

      • -

    • /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT

      • -

    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT

      • -
    -

    Using a custom instance of Microsoft SQL Server example:

    -

    /appv_server_setup.exe /QUIET

    -

    /DB_PREDEPLOY_REPORTING

    -

    /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”

    -

    /REPORTING_DB_NAME=”AppVReporting”

    -

    /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”

    -

    /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”

    - - - -**Parameter Definitions** - -**General Parameters** - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ParameterInformation

    /QUIET

    Specifies silent install.

    /UNINSTALL

    Specifies an uninstall.

    /LAYOUT

    Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected.

    /LAYOUTDIR

    Specifies the layout directory. Takes a string. For example, /LAYOUTDIR=”C:\Application Virtualization Server”

    /INSTALLDIR

    Specifies the installation directory. Takes a string. E.g. /INSTALLDIR=”C:\Program Files\Application Virtualization\Server”

    /MUOPTIN

    Enables Microsoft Update. No value is expected

    /ACCEPTEULA

    Accepts the license agreement. This is required for an unattended installation. Example usage: /ACCEPTEULA or /ACCEPTEULA=1.

    - - - -**Management Server Installation Parameters** - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    ParameterInformation

    /MANAGEMENT_SERVER

    Specifies that the management server will be installed. No value is expected

    /MANAGEMENT_ADMINACCOUNT

    Specifies the account that will be allowed to Administrator access to the management server This account can be an individual user account or a group. Example usage: /MANAGEMENT_ADMINACCOUNT=”mydomain\admin”. If /MANAGEMENT_SERVER is not specified, this will be ignored. Specifies the account that will be allowed to Administrator access to the management server. This can be a user account or a group. For example, /MANAGEMENT_ADMINACCOUNT="mydomain\admin".

    /MANAGEMENT_WEBSITE_NAME

    Specifies name of the website that will be created for the management service. For example, /MANAGEMENT_WEBSITE_NAME=”Microsoft App-V Management Service”

    MANAGEMENT_WEBSITE_PORT

    Specifies the port number that will be used by the management service will use. For example, /MANAGEMENT_WEBSITE_PORT=82.

    - - - -**Parameters for the Management Server Database** - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ParameterInformation

    /DB_PREDEPLOY_MANAGEMENT

    Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected

    /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT

    Indicates that the default SQL instance should be used. No value is expected.

    /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE

    Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”MYSQLSERVER”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.

    /MANAGEMENT_DB_NAME

    Specifies the name of the new management database that should be created. Example usage: /MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.

    /MANAGEMENT_SERVER_MACHINE_USE_LOCAL

    Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.

    /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT

    Specifies the machine account of the remote machine that the management server will be installed on. Example usage: /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”domain\computername”

    /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT

    Indicates the Administrator account that will be used to install the management server. Example usage: /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT =”domain\alias”

    - - - -**Parameters for Installing Publishing Server** - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    ParameterInformation

    /PUBLISHING_SERVER

    Specifies that the Publishing Server will be installed. No value is expected

    /PUBLISHING_MGT_SERVER

    Specifies the URL to Management Service the Publishing server will connect to. Example usage: http://<management server name>:<Management server port number>. If /PUBLISHING_SERVER is not used, this parameter will be ignored

    /PUBLISHING_WEBSITE_NAME

    Specifies name of the website that will be created for the publishing service. For example, /PUBLISHING_WEBSITE_NAME=”Microsoft App-V Publishing Service”

    /PUBLISHING_WEBSITE_PORT

    Specifies the port number used by the publishing service. For example, /PUBLISHING_WEBSITE_PORT=83

    - - - -**Parameters for Reporting Server** - - ---- - - - - - - - - - - - - - - - - - - - - -
    ParameterInformation

    /REPORTING_SERVER

    Specifies that the Reporting Server will be installed. No value is expected

    /REPORTING_WEBSITE_NAME

    Specifies name of the website that will be created for the Reporting Service. E.g. /REPORTING_WEBSITE_NAME="Microsoft App-V ReportingService"

    /REPORTING_WEBSITE_PORT

    Specifies the port number that the Reporting Service will use. E.g. /REPORTING_WEBSITE_PORT=82

    - - - -**Parameters for using an Existing Reporting Server Database** - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ParameterInformation

    /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL

    Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected.

    /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME

    Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"

    /EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT

    Indicates that the default SQL instance is to be used. Switch parameter so no value is expected.

    /EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE

    Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"

    /EXISTING_ REPORTING _DB_NAME

    Specifies the name of the existing Reporting database that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_NAME="AppVReporting"

    - - - -**Parameters for installing Reporting Server Database** - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ParameterInformation

    /DB_PREDEPLOY_REPORTING

    Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected

    /REPORTING_DB_SQLINSTANCE_USE_DEFAULT

    Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"

    /REPORTING_DB_NAME

    Specifies the name of the new Reporting database that should be created. Takes a string. E.g. /REPORTING_DB_NAME="AppVMgmtDB"

    /REPORTING_SERVER_MACHINE_USE_LOCAL

    Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.

    /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT

    Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. E.g. /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT = "domain\computername"

    /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT

    Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. E.g. /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT = "domain\alias"

    - - - -**Parameters for using an existing Management Server Database** - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ParameterInformation

    /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL

    Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.

    /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME

    Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"

    /EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT

    Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.

    /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE

    Specifies the name of the custom SQL instance that will be used. Example usage /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”AppVManagement”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.

    /EXISTING_MANAGEMENT_DB_NAME

    Specifies the name of the existing management database that should be used. Example usage: /EXISTING_MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.

    -

    -

    Got a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).

    -~~~ +## Install the App-V 5.1 server using a script +- Use the following information about installing the App-V 5.1 server using the command line. + > [!NOTE] + > The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**. + +### Install the Management server and Management database on a local machine + +The following parameters are valid with both the default and custom instance of Microsoft SQL Server: + +- /MANAGEMENT_SERVER +- /MANAGEMENT_ADMINACCOUNT +- /MANAGEMENT_WEBSITE_NAME +- /MANAGEMENT_WEBSITE_PORT +- /DB_PREDEPLOY_MANAGEMENT +- /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT +- /MANAGEMENT_DB_NAME + +**Example: Using a custom instance of Microsoft SQL Server** + +```dos +appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" /MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" /MANAGEMENT_WEBSITE_PORT="8080" /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /MANAGEMENT_DB_NAME="AppVManagement" +``` + +### Install the Management server using an existing Management database on a local machine + +To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*): + +- /MANAGEMENT_SERVER +- /MANAGEMENT_ADMINACCOUNT +- /MANAGEMENT_WEBSITE_NAME +- /MANAGEMENT_WEBSITE_PORT +- /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL +- */EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* +- /EXISTING_MANAGEMENT_DB_NAME + +To use a custom instance of Microsoft SQL Server, use the following parameters (difference from default instance in *italic*): + +- /MANAGEMENT_SERVER +- /MANAGEMENT_ADMINACCOUNT +- /MANAGEMENT_WEBSITE_NAME +- /MANAGEMENT_WEBSITE_PORT +- /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL +- */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE* +- /EXISTING_MANAGEMENT_DB_NAME + +**Example: Using a custom instance of Microsoft SQL Server** + +```dos +appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" /MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" /MANAGEMENT_WEBSITE_PORT="8080" /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE ="SqlInstanceName" /EXISTING_MANAGEMENT_DB_NAME ="AppVManagement" +``` + +### Install the Management server using an existing Management database on a remote machine + +To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*): + +- /MANAGEMENT_SERVER +- /MANAGEMENT_ADMINACCOUNT +- /MANAGEMENT_WEBSITE_NAME +- /MANAGEMENT_WEBSITE_PORT +- /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME +- */EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* +- /EXISTING_MANAGEMENT_DB_NAME + +To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*): + +- /MANAGEMENT_SERVER +- /MANAGEMENT_ADMINACCOUNT +- /MANAGEMENT_WEBSITE_NAME +- /MANAGEMENT_WEBSITE_PORT +- /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME +- */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE* +- /EXISTING_MANAGEMENT_DB_NAME + +**Example: Using a custom instance of Microsoft SQL Server:** + +```dos +appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" /MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" /MANAGEMENT_WEBSITE_PORT="8080" /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME="SqlServermachine.domainName" /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE ="SqlInstanceName" /EXISTING_MANAGEMENT_DB_NAME ="AppVManagement" +``` + +### Install the Management database and the Management Server on the same computer + +To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*): + +- /DB_PREDEPLOY_MANAGEMENT +- */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* +- /MANAGEMENT_DB_NAME +- /MANAGEMENT_SERVER_MACHINE_USE_LOCAL +- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT + +To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*): + +- /DB_PREDEPLOY_MANAGEMENT +- */MANAGEMENT_DB_CUSTOM_SQLINSTANCE* +- /MANAGEMENT_DB_NAME +- /MANAGEMENT_SERVER_MACHINE_USE_LOCAL +- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT + +**Example: Using a custom instance of Microsoft SQL Server** + +```dos +appv_server_setup.exe /QUIET /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /MANAGEMENT_DB_NAME="AppVManagement" /MANAGEMENT_SERVER_MACHINE_USE_LOCAL /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount" +``` + +### Install the Management database on a different computer than the Management server + +To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*): + +- /DB_PREDEPLOY_MANAGEMENT +- */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* +- /MANAGEMENT_DB_NAME +- /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT +- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT + +To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*): + +- /DB_PREDEPLOY_MANAGEMENT +- */MANAGEMENT_DB_CUSTOM_SQLINSTANCE* +- /MANAGEMENT_DB_NAME +- /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT +- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT + +**Example: Using a custom instance of Microsoft SQL Server** + +```dos +appv_server_setup.exe /QUIET /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /MANAGEMENT_DB_NAME="AppVManagement" /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount" /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount" +``` + +### Install the publishing server + +To use the default instance of Microsoft SQL Server, use the following parameters: + +- /PUBLISHING_SERVER +- /PUBLISHING_MGT_SERVER +- /PUBLISHING_WEBSITE_NAME +- /PUBLISHING_WEBSITE_PORT + +**Example: Using a custom instance of Microsoft SQL Server:** + +```dos +appv_server_setup.exe /QUIET /PUBLISHING_SERVER /PUBLISHING_MGT_SERVER="http://ManagementServerName:ManagementPort" /PUBLISHING_WEBSITE_NAME="Microsoft AppV Publishing Service" /PUBLISHING_WEBSITE_PORT="8081" +``` + +### Install the Reporting server and Reporting database on a local machine + +To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*): + +- /REPORTING _SERVER +- /REPORTING _WEBSITE_NAME +- /REPORTING _WEBSITE_PORT +- /DB_PREDEPLOY_REPORTING +- */REPORTING _DB_SQLINSTANCE_USE_DEFAULT* +- /REPORTING _DB_NAME + +To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*): + +- /REPORTING _SERVER +- */REPORTING _ADMINACCOUNT* +- /REPORTING _WEBSITE_NAME +- /REPORTING _WEBSITE_PORT +- /DB_PREDEPLOY_REPORTING +- */REPORTING _DB_CUSTOM_SQLINSTANCE* +- /REPORTING _DB_NAME + +**Example: Using a custom instance of Microsoft SQL Server:** + +```dos +appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" /REPORTING_WEBSITE_PORT="8082" /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /REPORTING_DB_NAME="AppVReporting" +``` + +### Install the Reporting server and using an existing Reporting database on a local machine + +To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*): + +- /REPORTING _SERVER +- /REPORTING _WEBSITE_NAME +- /REPORTING _WEBSITE_PORT +- /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL +- */EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT* +- /EXISTING_REPORTING _DB_NAME + +To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*): + +- /REPORTING _SERVER +- */REPORTING _ADMINACCOUNT* +- /REPORTING _WEBSITE_NAME +- /REPORTING _WEBSITE_PORT +- /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL +- */EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE* +- /EXISTING_REPORTING _DB_NAME + +**Example: Using a custom instance of Microsoft SQL Server:** + +```dos +appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" /REPORTING_WEBSITE_PORT="8082" /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /EXITING_REPORTING_DB_NAME="AppVReporting" +``` + +### Install the Reporting server using an existing Reporting database on a remote machine + +To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*): + +- /REPORTING _SERVER +- /REPORTING _WEBSITE_NAME +- /REPORTING _WEBSITE_PORT +- /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME +- */EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT* +- /EXISTING_REPORTING _DB_NAME + +To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*): + +- /REPORTING _SERVER +- */REPORTING _ADMINACCOUNT* +- /REPORTING _WEBSITE_NAME +- /REPORTING _WEBSITE_PORT +- /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME +- */EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE* +- /EXISTING_REPORTING _DB_NAME + +**Example: Using a custom instance of Microsoft SQL Server:** + +```dos +appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" /REPORTING_WEBSITE_PORT="8082" /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME="SqlServerMachine.DomainName" /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /EXITING_REPORTING_DB_NAME="AppVReporting" +``` + +### Install the Reporting database on the same computer as the Reporting server + +To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*): + +- /DB_PREDEPLOY_REPORTING +- */REPORTING _DB_SQLINSTANCE_USE_DEFAULT* +- /REPORTING _DB_NAME +- /REPORTING_SERVER_MACHINE_USE_LOCAL +- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT + +To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*): + +- /DB_PREDEPLOY_REPORTING +- */REPORTING _DB_CUSTOM_SQLINSTANCE* +- /REPORTING _DB_NAME +- /REPORTING_SERVER_MACHINE_USE_LOCAL +- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT + +**Example: Using a custom instance of Microsoft SQL Server:** + +```dos +appv_server_setup.exe /QUIET /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /REPORTING_DB_NAME="AppVReporting" /REPORTING_SERVER_MACHINE_USE_LOCAL /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount" +``` + +### Install the Reporting database on a different computer than the Reporting server + +To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*): + +- /DB_PREDEPLOY_REPORTING +- /REPORTING _DB_SQLINSTANCE_USE_DEFAULT +- /REPORTING _DB_NAME +- /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT +- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT + +To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*): + +- /DB_PREDEPLOY_REPORTING +- /REPORTING _DB_CUSTOM_SQLINSTANCE +- /REPORTING _DB_NAME +- /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT +- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT + +**Example: Using a custom instance of Microsoft SQL Server:** + +```dos + appv_server_setup.exe /QUIET /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /REPORTING_DB_NAME="AppVReporting" /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount" /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount" +``` + +### Parameter Definitions + +#### General Parameters + +| Parameter | Information | +|--|--| +| /QUIET | Specifies silent install. | +| /UNINSTALL | Specifies an uninstall. | +| /LAYOUT | Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected. | +| /LAYOUTDIR | Specifies the layout directory. Takes a string. Example usage: **/LAYOUTDIR="C:\\Application Virtualization Server"** | +| /INSTALLDIR | Specifies the installation directory. Takes a string. Example usage: **/INSTALLDIR="C:\\Program Files\\Application Virtualization\\Server"** | +| /MUOPTIN | Enables Microsoft Update. No value is expected. | +| /ACCEPTEULA | Accepts the license agreement. This is required for an unattended installation. Example usage: **/ACCEPTEULA** or **/ACCEPTEULA=1** | + +#### Management Server Installation Parameters + +|Parameter |Information | +|--|--| +| /MANAGEMENT_SERVER | Specifies that the management server will be installed. No value is expected | +| /MANAGEMENT_ADMINACCOUNT | Specifies the account that will be allowed Administrator access to the management server. This can be a user account or a group. Example usage: **/MANAGEMENT_ADMINACCOUNT="mydomain\\admin"**. If **/MANAGEMENT_SERVER** is not specified, this will be ignored. | +| /MANAGEMENT_WEBSITE_NAME | Specifies name of the website that will be created for the management service. Example usage: **/MANAGEMENT_WEBSITE_NAME="Microsoft App-V Management Service"** | +| MANAGEMENT_WEBSITE_PORT | Specifies the port number that will be used by the management service will use. Example usage: **/MANAGEMENT_WEBSITE_PORT=82** | + +#### Parameters for the Management Server Database + +| Parameter | Information | +|--|--| +| /DB_PREDEPLOY_MANAGEMENT | Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected. | +| /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT | Indicates that the default SQL instance should be used. No value is expected. | +| /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE | Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: **/MANAGEMENT_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"**. If **/DB_PREDEPLOY_MANAGEMENT** is not specified, this will be ignored. | +| /MANAGEMENT_DB_NAME | Specifies the name of the new management database that should be created. Example usage: **/MANAGEMENT_DB_NAME="AppVMgmtDB"**. If **/DB_PREDEPLOY_MANAGEMENT** is not specified, this will be ignored. | +| /MANAGEMENT_SERVER_MACHINE_USE_LOCAL | Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. | +| /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT | Specifies the machine account of the remote machine that the management server will be installed on. Example usage: **/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT="domain\\computername"** | +| /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT | Indicates the Administrator account that will be used to install the management server. Example usage: **/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT ="domain\\alias"** | + +#### Parameters for Installing Publishing Server + +| Parameter | Information | +|--|--| +| /PUBLISHING_SERVER | Specifies that the Publishing Server will be installed. No value is expected. | +| /PUBLISHING_MGT_SERVER | Specifies the URL to Management Service the Publishing server will connect to. Example usage: **http://<management server name>:<Management server port number>**. If **/PUBLISHING_SERVER** is not used, this parameter will be ignored. | +| /PUBLISHING_WEBSITE_NAME | Specifies name of the website that will be created for the publishing service. Example usage: **/PUBLISHING_WEBSITE_NAME="Microsoft App-V Publishing Service"** | +| /PUBLISHING_WEBSITE_PORT | Specifies the port number used by the publishing service. Example usage: **/PUBLISHING_WEBSITE_PORT=83** | + +#### Parameters for Reporting Server + +| Parameter | Information | +|--|--| +| /REPORTING_SERVER | Specifies that the Reporting Server will be installed. No value is expected. | +| /REPORTING_WEBSITE_NAME | Specifies name of the website that will be created for the Reporting Service. Example usage: **/REPORTING_WEBSITE_NAME="Microsoft App-V ReportingService"** | +| /REPORTING_WEBSITE_PORT | Specifies the port number that the Reporting Service will use. Example usage: **/REPORTING_WEBSITE_PORT=82** | + +#### Parameters for using an Existing Reporting Server Database + +| Parameter | Information | +|--|--| +| /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL | Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected. | +| /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME | Specifies the name of the remote computer that SQL Server is installed on. Takes a string. Example usage: **/EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"** | +| /EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT | Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. | +| /EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE | Specifies the name of the custom SQL instance that should be used. Takes a string. Example usage: **/EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"** | +| /EXISTING_ REPORTING _DB_NAME | Specifies the name of the existing Reporting database that should be used. Takes a string. Example usage: **/EXISTING_REPORTING_DB_NAME="AppVReporting"** | + +#### Parameters for installing Reporting Server Database + +| Parameter | Information | +|--|--| +| /DB_PREDEPLOY_REPORTING | Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected. | +| /REPORTING_DB_SQLINSTANCE_USE_DEFAULT | Specifies the name of the custom SQL instance that should be used. Takes a string. Example usage: **/REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"** | +| /REPORTING_DB_NAME | Specifies the name of the new Reporting database that should be created. Takes a string. Example usage: **/REPORTING_DB_NAME="AppVMgmtDB"** | +| /REPORTING_SERVER_MACHINE_USE_LOCAL | Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. | +| /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT | Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. Example usage: **/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="domain\computername"** | +| /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT | Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. Example usage: **/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="domain\\alias"** | + +#### Parameters for using an existing Management Server Database + +| Parameter | Information | +|--|--| +| /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL | Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. | +| /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME | Specifies the name of the remote computer that SQL Server is installed on. Takes a string. Example usage: **/EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"** | +| /EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT | Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. | +| /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE | Specifies the name of the custom SQL instance that will be used. Example usage **/EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE="AppVManagement"**. If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. | +| /EXISTING_MANAGEMENT_DB_NAME | Specifies the name of the existing management database that should be used. Example usage: **/EXISTING_MANAGEMENT_DB_NAME="AppVMgmtDB"**. If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. | + +Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics - [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md) - - - - - - - - - diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md index c8faae6bae..521bf090aa 100644 --- a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md +++ b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md @@ -13,75 +13,42 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # How to Deploy the App-V Databases by Using SQL Scripts - Use the following instructions to use SQL scripts, rather than the Windows Installer, to: -- Install the App-V 5.1 databases +- Install the App-V 5.1 databases +- Upgrade the App-V databases to a later version -- Upgrade the App-V databases to a later version +> [!NOTE] +> If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1. -**Note** -If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1. +## How to install the App-V databases by using SQL scripts +1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software. +1. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location. +1. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts. + Example: appv\_server\_setup.exe /layout c:\\<_temporary location path_> -**How to install the App-V databases by using SQL scripts** +1. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions: -1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software. + | Database | Location of Readme.txt file to use | + |--|--| + | Management database | ManagementDatabase subfolder | + | Reporting database | ReportingDatabase subfolder | -2. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location. +> [!CAUTION] +> The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders. -3. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts. - - Example: appv\_server\_setup.exe /layout c:\\<temporary location path> - -4. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions: - - - - - - - - - - - - - - - - - - - - - - -
    DatabaseLocation of Readme.txt file to use

    Management database

    ManagementDatabase subfolder

    Reporting database

    ReportingDatabase subfolder

    - - - -~~~ -**Caution** -The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders. - - - -**Important** -The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3. +> [!IMPORTANT] +> The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3. The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). **Step 1** is not required for versions of App-V later than App-V 5.0 SP3. -~~~ +## Updated management database README file content - -**Updated management database README file content** - -``` syntax +```plaintext ****************************************************************** Before you install and use the Application Virtualization Database Scripts you must: 1.Review the Microsoft Application Virtualization Server 5.0 license terms. @@ -107,7 +74,7 @@ Steps to install "AppVManagement" schema in SQL SERVER. 2. Ensure the target SQL Server instance and SQL Server Agent service are running. - 3. If you are not running the scripts directly on the server, ensure the + 3. If you are not running the scripts directly on the server, ensure the necessary SQL Server client software is installed and available from the specified location. Specifically, the "osql" command must ## be supported for these scripts to run. @@ -120,7 +87,7 @@ Steps to install "AppVManagement" schema in SQL SERVER. defaults are likely sufficient, it is suggested that the following settings be reviewed: - DATABASE - ensure name is satisfactory - default is "AppVManagement". + DATABASE - ensure name is satisfactory - default is "AppVManagement". 2. Review the Permissions.sql file and provide all the necessary account information for setting up read and write access on the database. Note: Default settings @@ -130,23 +97,23 @@ Steps to install "AppVManagement" schema in SQL SERVER. ## INSTALLATION: - 1. Run the database.sql against the "master" database. Your user + 1. Run the database.sql against the "master" database. Your user credential must have the ability to create databases. This script will create the database. - 2. Run the following scripts against the "AppVManagement" database using the + 2. Run the following scripts against the "AppVManagement" database using the same account as above in order. CreateTables.sql CreateStoredProcs.sql UpdateTables.sql -## Permissions.sql +## Permissions.sql ``` -**Updated reporting database README file content** +## Updated reporting database README file content -``` syntax +```plaintext ****************************************************************** Before you install and use the Application Virtualization Database Scripts you must: 1.Review the Microsoft Application Virtualization Server 5.0 license terms. @@ -188,7 +155,7 @@ Steps to install "AppVReporting" schema in SQL SERVER. defaults are likely sufficient, it is suggested that the following settings be reviewed: - DATABASE - ensure name is satisfactory - default is "AppVReporting". + DATABASE - ensure name is satisfactory - default is "AppVReporting". 2. Review the Permissions.sql file and provide all the necessary account information for setting up read and write access on the database. Note: Default settings @@ -203,13 +170,13 @@ Steps to install "AppVReporting" schema in SQL SERVER. ## INSTALLATION: - 1. Run the database.sql against the "master" database. Your user + 1. Run the database.sql against the "master" database. Your user credential must have the ability to create databases. This script will create the database. 2. If upgrading the database, run UpgradeDatabase.sql This will upgrade database schema. - 2. Run the following scripts against the "AppVReporting" database using the + 2. Run the following scripts against the "AppVReporting" database using the same account as above in order. CreateTables.sql @@ -222,20 +189,10 @@ Steps to install "AppVReporting" schema in SQL SERVER. ``` -**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics - [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md) [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md) - - - - - - - - - diff --git a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md index ed4ef04eb0..152d31ca72 100644 --- a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md +++ b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md @@ -13,19 +13,17 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell - Use the following PowerShell procedure to convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by Microsoft SQL Server when running SQL scripts. Before attempting this procedure, you should read and understand the information and examples displayed in the following list: -- **.INPUTS** – The account or accounts used to convert to SID format. This can be a single account name or an array of account names. +- **.INPUTS** – The account or accounts used to convert to SID format. This can be a single account name or an array of account names. -- **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats. +- **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats. -- **Examples** - +- **Examples** - **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List**. @@ -33,13 +31,10 @@ Before attempting this procedure, you should read and understand the information **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200** - \#> - -**To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)** +## To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs) 1. Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**. - -2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. +1. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. ```powershell <# @@ -61,7 +56,7 @@ Before attempting this procedure, you should read and understand the information function ConvertSIDToHexFormat { - param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert) + param([System.Security.Principal.SecurityIdentifier]$sidToConvert) $sb = New-Object System.Text.StringBuilder [int] $binLength = $sidToConvert.BinaryLength @@ -79,7 +74,7 @@ Before attempting this procedure, you should read and understand the information [string]::Format("{0}====== Description ======{0}{0}" + " Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" + - " Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" + + " Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.ps1 DOMAIN\Account1 DOMAIN\Account2 ...'){0}" + " The output is written to the console in the format 'Account name SID as string SID as hexadecimal'{0}" + " And can be written out to a file using standard PowerShell redirection{0}" + " Please specify user accounts in the format 'DOMAIN\username'{0}" + @@ -131,17 +126,21 @@ Before attempting this procedure, you should read and understand the information Write-Output $SIDs } } -3. Run the script you saved in step one of this procedure passing the accounts to convert as arguments. + ``` + +1. Run the script you saved in step one of this procedure passing the accounts to convert as arguments. For example, - **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")** + **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List** + + or + + **$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")** + **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200** - **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”** - - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics - [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md) diff --git a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md index 77c7a3fd6a..ebe96992d3 100644 --- a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md +++ b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md @@ -13,114 +13,74 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services - Use the following procedure to install the database server and management server on different computers. The computer you plan to install the database server on must be running a supported version of Microsoft SQL or the installation will fail. -**Note** -After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases. +> [!NOTE] +> After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases. +## To install the management database and the management server on separate computers +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. +1. On the **Getting Started** page, review and accept the license terms, and click **Next**. +1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**. +1. On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**. +1. On the **Installation Location** page, accept the default location and click **Next**. +1. On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**. -**To install the management database and the management server on separate computers** - -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. - -2. On the **Getting Started** page, review and accept the license terms, and click **Next**. - -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**. - -4. On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**. - -5. On the **Installation Location** page, accept the default location and click **Next**. - -6. On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**. - - If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance. - + If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.\ If you are using a custom database name, then select **Custom configuration** and type the database name. -7. On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**. +1. On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**. - **Note** - If you plan to deploy the management server on the same computer you must select **Use this local computer**. + > [!NOTE] + > If you plan to deploy the management server on the same computer you must select **Use this local computer**. +1. Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**. +1. To start the installation, click **Install**. +## To install the reporting database and the reporting server on separate computers -~~~ -Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**. -~~~ - -8. To start the installation, click **Install**. - -**To install the reporting database and the reporting server on separate computers** - -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. - -2. On the **Getting Started** page, review and accept the license terms, and click **Next**. - -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**. - -4. On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**. - -5. On the **Installation Location** page, accept the default location and click **Next**. - -6. On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**. +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. +1. On the **Getting Started** page, review and accept the license terms, and click **Next**. +1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**. +1. On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**. +1. On the **Installation Location** page, accept the default location and click **Next**. +1. On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**. If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance. - If you are using a custom database name, then select **Custom configuration** and type the database name. -7. On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**. +1. On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**. - **Note** - If you plan to deploy the reporting server on the same computer you must select **Use this local computer**. + > [!NOTE] + > If you plan to deploy the reporting server on the same computer you must select **Use this local computer**. +1. Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**. +1. To start the installation, click **Install**. +## To install the management and reporting databases using App-V 5.1 database scripts -~~~ -Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**. -~~~ +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. +1. To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command: -8. To start the installation, click **Install**. + **appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR="InstallationExtractionLocation"**. -**To install the management and reporting databases using App-V 5.1 database scripts** +1. After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file: -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. + - The App-V 5.1 Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**. + - The App-V 5.1 Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**. -2. To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command: +1. For each database, copy the scripts to a share and modify them following the instructions in the readme file. - **appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR=”InstallationExtractionLocation”**. + > [!NOTE] + > For more information about modifying the required SIDs contained in the scripts, see [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md). -3. After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file: +1. Run the scripts on the computer running Microsoft SQL Server. - - The App-V 5.1 Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**. - - - The App-V 5.1 Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**. - -4. For each database, copy the scripts to a share and modify them following the instructions in the readme file. - - **Note** - For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md). - - - -5. Run the scripts on the computer running Microsoft SQL Server. - - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics - [Deploying App-V 5.1](deploying-app-v-51.md) - - - - - - - - - diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md index 76656d39e1..38d5dc61eb 100644 --- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md +++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md @@ -4,7 +4,6 @@ title: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 description: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 Package for a Specific User ms.assetid: f1d2ab1f-0831-4976-b49f-169511d3382a author: dansimp -ms.assetid: f1d2ab1f-0831-4976-b49f-169511d3382a ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md index 0345a45113..bad9d61431 100644 --- a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md +++ b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md @@ -4,7 +4,6 @@ title: How to Use an App-V 4.6 Application From an App-V 5.0 Application description: How to Use an App-V 4.6 Application From an App-V 5.0 Application ms.assetid: 4e78cb32-9c8b-478e-ae8b-c474a7e42487 author: msfttracyp -ms.assetid: 4e78cb32-9c8b-478e-ae8b-c474a7e42487 ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office.md b/mdop/appv-v5/planning-for-using-app-v-with-office.md index 7f570f7070..bb0f791a10 100644 --- a/mdop/appv-v5/planning-for-using-app-v-with-office.md +++ b/mdop/appv-v5/planning-for-using-app-v-with-office.md @@ -61,7 +61,7 @@ The following table lists the versions of Microsoft Office that App-V supports, -

    Office 365 ProPlus

    +

    Microsoft 365 Apps for enterprise

    Also supported:

    • Visio Pro for Office 365

      • diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office51.md b/mdop/appv-v5/planning-for-using-app-v-with-office51.md index 6564a0e784..76e791e8a6 100644 --- a/mdop/appv-v5/planning-for-using-app-v-with-office51.md +++ b/mdop/appv-v5/planning-for-using-app-v-with-office51.md @@ -40,7 +40,7 @@ Microsoft Visio and Microsoft Project do not provide support for the Thai Langua ## Supported versions of Microsoft Office See [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click) for a list of supported Office products. ->**Note**  You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer. +>**Note**  You must use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer. diff --git a/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md b/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md index 30c1b4a4a7..a021c0fd09 100644 --- a/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md +++ b/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md @@ -121,7 +121,7 @@ The **Search** tool opens a **File Search** window that you can use to find docu ### Standalone System Sweeper **Important**   -Environments with the Standalone System Sweeper deployed should instead use the Windows Defender Offline (WDO) protection image for malware detection. Because of how the Standalone System Sweeper tool integrates into DaRT, all supported DaRT version deployments cannot apply these anti-malware updates to their DaRT images. +Environments with the Standalone System Sweeper deployed should instead use the Microsoft Defender Offline (WDO) protection image for malware detection. Because of how the Standalone System Sweeper tool integrates into DaRT, all supported DaRT version deployments cannot apply these anti-malware updates to their DaRT images. diff --git a/mdop/dart-v8/TOC.md b/mdop/dart-v8/TOC.md index b2c907364b..1071a26cdd 100644 --- a/mdop/dart-v8/TOC.md +++ b/mdop/dart-v8/TOC.md @@ -39,5 +39,5 @@ #### [How to Use a PowerShell Script to Create the Recovery Image](how-to-use-a-powershell-script-to-create-the-recovery-image-dart-8.md) ## [Troubleshooting DaRT 8.0](troubleshooting-dart-80-dart-8.md) ## [Technical Reference for DaRT 8.0](technical-reference-for-dart-80-new-ia.md) -### [Use Windows Defender Offline (WDO) for malware protection, not DaRT ](use-windows-defender-offline-wdo-for-malware-protection-not-dart.md) +### [Use Microsoft Defender Offline (WDO) for malware protection, not DaRT ](use-windows-defender-offline-wdo-for-malware-protection-not-dart.md) diff --git a/mdop/dart-v8/dart-80-privacy-statement-dart-8.md b/mdop/dart-v8/dart-80-privacy-statement-dart-8.md index 73939a6af0..f49f70867f 100644 --- a/mdop/dart-v8/dart-80-privacy-statement-dart-8.md +++ b/mdop/dart-v8/dart-80-privacy-statement-dart-8.md @@ -82,12 +82,12 @@ For details about what information is collected and how it is used, see the Upda For details about controlling this feature, see the Update Services Privacy Statement at [https://go.microsoft.com/fwlink/?LinkId=244000](https://go.microsoft.com/fwlink/?LinkId=244400). -## Windows Defender Offline +## Microsoft Defender Offline **What This Feature Does:** -Windows Defender Offline (WDO) is included in the DaRT download. WDO helps protect your PC from malicious software (malware) such as viruses, spyware, and other potentially harmful software. +Microsoft Defender Offline (WDO) is included in the DaRT download. WDO helps protect your PC from malicious software (malware) such as viruses, spyware, and other potentially harmful software. **Information Collected, Processed, or Transmitted:** @@ -99,7 +99,7 @@ For details about what information is collected and how it is used, see the WDO **Choice/Control:** -For details about controlling this feature, see the Windows Defender Offline Privacy Statement at . +For details about controlling this feature, see the Microsoft Defender Offline Privacy Statement at . ## Related topics diff --git a/mdop/dart-v8/index.md b/mdop/dart-v8/index.md index d51694005d..403a88d542 100644 --- a/mdop/dart-v8/index.md +++ b/mdop/dart-v8/index.md @@ -38,7 +38,7 @@ DaRT 8.0 is an important part of the Microsoft Desktop Optimization Pack (MDOP), [Technical Reference for DaRT 8.0](technical-reference-for-dart-80-new-ia.md) -[Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Windows Defender Offline (WDO) for malware detection-->](use-windows-defender-offline-wdo-for-malware-protection-not-dart.md) +[Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Microsoft Defender Offline (WDO) for malware detection-->](use-windows-defender-offline-wdo-for-malware-protection-not-dart.md) [Troubleshooting DaRT 8.0](troubleshooting-dart-80-dart-8.md) diff --git a/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md b/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md index ec7b892511..46c8676819 100644 --- a/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md +++ b/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md @@ -48,7 +48,7 @@ For more information about **Crash Analyzer**, see [Diagnosing System Failures w ### Defender **Important**   -Environments with the DaRT Defender deployed should instead use the Windows Defender Offline (WDO) protection image for malware detection. Because of how the Defender tool integrates into DaRT, all supported DaRT version deployments cannot apply these anti-malware updates to their DaRT images. For more information, see [Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Windows Defender Offline (WDO) for malware detection-->](use-windows-defender-offline-wdo-for-malware-protection-not-dart.md). +Environments with the DaRT Defender deployed should instead use the Microsoft Defender Offline (WDO) protection image for malware detection. Because of how the Defender tool integrates into DaRT, all supported DaRT version deployments cannot apply these anti-malware updates to their DaRT images. For more information, see [Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Microsoft Defender Offline (WDO) for malware detection-->](use-windows-defender-offline-wdo-for-malware-protection-not-dart.md). diff --git a/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md b/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md index 6fefab5848..356e206ffd 100644 --- a/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md +++ b/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md @@ -22,9 +22,9 @@ This section includes technical reference information about Microsoft Diagnostic ## Technical reference -[Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Windows Defender Offline (WDO) for malware detection-->](use-windows-defender-offline-wdo-for-malware-protection-not-dart.md) +[Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Microsoft Defender Offline (WDO) for malware detection-->](use-windows-defender-offline-wdo-for-malware-protection-not-dart.md) - Environments with the Microsoft Diagnostics and Recovery Toolset (DaRT) Defender tool deployed should instead use the Windows Defender Offline (WDO) protection image for malware detection. + Environments with the Microsoft Diagnostics and Recovery Toolset (DaRT) Defender tool deployed should instead use the Microsoft Defender Offline (WDO) protection image for malware detection. ## Other resources for DaRT 8.0 operations diff --git a/mdop/dart-v8/use-windows-defender-offline-wdo-for-malware-protection-not-dart.md b/mdop/dart-v8/use-windows-defender-offline-wdo-for-malware-protection-not-dart.md index 6265073d6b..02e1f3ee25 100644 --- a/mdop/dart-v8/use-windows-defender-offline-wdo-for-malware-protection-not-dart.md +++ b/mdop/dart-v8/use-windows-defender-offline-wdo-for-malware-protection-not-dart.md @@ -1,6 +1,6 @@ --- -title: Use Windows Defender Offline (WDO) for malware protection not DaRT -description: Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Windows Defender Offline (WDO) for malware detection +title: Use Microsoft Defender Offline (WDO) for malware protection not DaRT +description: Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Microsoft Defender Offline (WDO) for malware detection author: dansimp ms.assetid: 59678283-4b44-4d02-ba8f-0e7315efd5d1 ms.reviewer: @@ -14,19 +14,19 @@ ms.date: 09/25/2019 --- -# Use Windows Defender Offline (WDO) for malware protection, not DaRT. +# Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Microsoft Defender Offline (WDO) for malware detection--> +# Use Microsoft Defender Offline (WDO) for malware protection, not DaRT. -Environments that have the Microsoft Diagnostics and Recovery Toolset (DaRT) Defender tool deployed should instead use the Windows Defender Offline (WDO) protection image for malware detection. This applies to all currently supported versions of DaRT. These versions include DaRT 7, DaRT 8, and DaRT 8.1, together with their service packs. +Environments that have the Microsoft Diagnostics and Recovery Toolset (DaRT) Defender tool deployed should instead use the Microsoft Defender Offline (WDO) protection image for malware detection. This applies to all currently supported versions of DaRT. These versions include DaRT 7, DaRT 8, and DaRT 8.1, together with their service packs. ## About Windows Defender -The Windows Defender tool distributes anti-malware updates more frequently than the DaRT Defender tool. Because of how the Defender tool integrates into DaRT, all supported DaRT version deployments cannot apply these anti-malware updates to their DaRT images. Without these updates, the DaRT Defender tool quickly becomes outdated. To make sure of up-to-date protection at scan time, you should download Windows Defender Offline to create a bootable image for scanning. +The Windows Defender tool distributes anti-malware updates more frequently than the DaRT Defender tool. Because of how the Defender tool integrates into DaRT, all supported DaRT version deployments cannot apply these anti-malware updates to their DaRT images. Without these updates, the DaRT Defender tool quickly becomes outdated. To make sure of up-to-date protection at scan time, you should download Microsoft Defender Offline to create a bootable image for scanning. -Currently deployed DaRT images do not have to be removed or updated. We recommend that you deploy the bootable image that is provided by Windows Defender Offline for all future malware scans. Using an outdated version of the DaRT Defender tool could result in undetected malware. +Currently deployed DaRT images do not have to be removed or updated. We recommend that you deploy the bootable image that is provided by Microsoft Defender Offline for all future malware scans. Using an outdated version of the DaRT Defender tool could result in undetected malware. -For more information about Windows Defender Offline downloads and FAQs, go to the following website: [What is Windows Defender Offline?](https://go.microsoft.com/fwlink/p/?LinkId=394127). +For more information about Microsoft Defender Offline downloads and FAQs, go to the following website: [What is Microsoft Defender Offline?](https://go.microsoft.com/fwlink/p/?LinkId=394127).   diff --git a/mdop/mbam-v1/evaluating-mbam-10.md b/mdop/mbam-v1/evaluating-mbam-10.md index c7a6729376..f4c72234bf 100644 --- a/mdop/mbam-v1/evaluating-mbam-10.md +++ b/mdop/mbam-v1/evaluating-mbam-10.md @@ -55,21 +55,21 @@ Even when you set up a non-production instance of MBAM to evaluate in a lab envi

      Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.

      -Note

      You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup</em>. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.

      +Note

      You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.

      USE master;
 GO
-CREATE MASTER KEY ENCRYPTION BY PASSWORD = &amp;#39;P@55w0rd';
+CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@55w0rd';
 GO
 CREATE CERTIFICATE tdeCert WITH SUBJECT = 'TDE Certificate';
 GO
 BACKUP CERTIFICATE tdeCert TO FILE = 'C:\Backup\TDECertificate.cer'
    WITH PRIVATE KEY (
          FILE = 'C:\Backup\TDECertificateKey.pvk',
-         ENCRYPTION BY PASSWORD = &amp;#39;P@55w0rd');
+         ENCRYPTION BY PASSWORD = 'P@55w0rd');
 GO

      MBAM 1.0 Deployment Prerequisites

      Database Encryption in SQL Server 2008 Enterprise Edition

      diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index cd77d39b06..8a255ed548 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -11,8 +11,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 ms.date: 8/30/2018 -ms.author: pashort -author: shortpatti +ms.author: dansimp --- # Applying hotfixes on MBAM 2.5 SP1 diff --git a/mdop/mbam-v25/deploy-mbam.md b/mdop/mbam-v25/deploy-mbam.md index a921105176..c035e3eadb 100644 --- a/mdop/mbam-v25/deploy-mbam.md +++ b/mdop/mbam-v25/deploy-mbam.md @@ -8,7 +8,6 @@ ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 -manager: dcscontentpm --- # Deploying MBAM 2.5 in a standalone configuration diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md index f2d0494b7f..9dce3b1297 100644 --- a/mdop/mbam-v25/troubleshooting-mbam-installation.md +++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md @@ -8,7 +8,6 @@ ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 -manager: dcscontentpm --- # Troubleshooting MBAM 2.5 installation problems diff --git a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md index 153757ee67..0e55529039 100644 --- a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md +++ b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md @@ -2,11 +2,10 @@ title: Upgrading from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update author: dansimp ms.author: ksharma -manager: +manager: miaposto audience: ITPro ms.topic: article ms.prod: w10 -manager: miaposto ms.localizationpriority: Normal --- diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index b3f0ec8f06..9b5f3ae040 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -2,7 +2,7 @@ title: Deploy and manage a full cloud IT solution for your business description: Learn how to set up a cloud infrastructure for your business, acquire devices and apps, and configure and deploy policies to your devices. keywords: smb, full cloud IT solution, small to medium business, deploy, setup, manage, Windows, Intune, Office 365 -ms.prod: +ms.prod: w10 ms.technology: ms.author: eravena audience: itpro @@ -13,6 +13,7 @@ author: eavena ms.reviewer: manager: dansimp ms.localizationpriority: medium +ms.topic: conceptual --- # Get started: Deploy and manage a full cloud IT solution for your business @@ -21,12 +22,12 @@ ms.localizationpriority: medium **Applies to:** -- Office 365 Business Premium, Azure AD Premium, Intune, Microsoft Store for Business, Windows 10 +- Microsoft 365 Business Standard, Azure AD Premium, Intune, Microsoft Store for Business, Windows 10 Are you ready to move your business to the cloud or wondering what it takes to make this happen with Microsoft cloud services and tools? -In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to: -- Acquire an Office 365 business domain +In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Microsoft 365 Business Standard, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to: +- Acquire an Microsoft 365 for business domain - Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant - Set up Microsoft Store for Business and manage app deployment and sync with Intune - Add users and groups in Azure AD and Intune @@ -52,11 +53,11 @@ See Get Started with Office 365 for business. +To set up your Microsoft 365 for business tenant, see Get Started with Microsoft 365 for business. If this is the first time you're setting this up, and you'd like to see how it's done, you can follow these steps to get started: -1. Go to the Office 365 page in the Microsoft Business site. Select **Try now** to use the Office 365 Business Premium Trial or select **Buy now** to sign up for Office 365 Business Premium. In this walkthrough, we'll select **Try now**. +1. Go to the Office 365 page in the Microsoft Business site. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**. **Figure 1** - Try or buy Office 365 @@ -68,14 +69,14 @@ If this is the first time you're setting this up, and you'd like to see how it's This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into https://portal.office.com (the admin portal). 4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code. -5. Select **You're ready to go...** which will take you to the Office 365 portal. +5. Select **You're ready to go...** which will take you to the Microsoft 365 admin center. > [!NOTE] - > In the Office 365 portal, icons that are greyed out are still installing. + > In the Microsoft 365 admin center, icons that are greyed out are still installing. - **Figure 2** - Office 365 portal + **Figure 2** - Microsoft 365 admin center - ![Office 365 portal](images/office365_portal.png) + ![Microsoft 365 admin center](images/office365_portal.png) 6. Select the **Admin** tile to go to the admin center. @@ -560,7 +561,7 @@ For other devices, such as those personally-owned by employees who need to conne 9. You can confirm that the new device and user are showing up as Intune-managed by going to the Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later. ### 4.2 Add a new user -You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Microsoft Intune. +You can add new users to your tenant simply by adding them to the Microsoft 365 groups. Adding new users to Microsoft 365 groups automatically adds them to the corresponding groups in Microsoft Intune. See [Add users to Office 365](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc?ui=en-US&rs=en-US&ad=US&fromAR=1) to learn more. Once you're done adding new users, go to the Intune management portal and verify that the same users were added to the Intune groups as well. diff --git a/smb/index.md b/smb/index.md index 5cc2746261..1f9527ebf2 100644 --- a/smb/index.md +++ b/smb/index.md @@ -2,16 +2,17 @@ title: Windows 10 for small to midsize businesses description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business. keywords: Windows 10, SMB, small business, midsize business, business -ms.prod: +ms.prod: w10 ms.technology: ms.topic: article -ms.author: celested +ms.author: dansimp ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: smb -author: CelesteDG +author: dansimp ms.localizationpriority: medium manager: dansimp +audience: itpro --- # Windows 10 for SMB diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index bddb37739a..b343954c9a 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -45,7 +45,7 @@ Before you get started, be sure to review these best practices and requirements: **Best practices** -- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). +- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). - **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app. diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 5c70fb1b0b..33b58da4ab 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -44,7 +44,7 @@ You can't distribute offline-licensed apps directly from Microsoft Store. Once y - **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages). - **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: - - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) + - [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
      For third-party MDM providers or management servers, check your product documentation. diff --git a/store-for-business/index.md b/store-for-business/index.md index 71a8c271d1..9ec42cc879 100644 --- a/store-for-business/index.md +++ b/store-for-business/index.md @@ -2,6 +2,7 @@ title: Microsoft Store for Business and Education (Windows 10) description: Welcome to the Microsoft Store for Business and Education. You can use Microsoft Store, to find, acquire, distribute, and manage apps for your organization or school. ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8 +manager: dansimp ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -10,7 +11,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 05/14/2020 --- # Microsoft Store for Business and Education diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index b7fea1a9ef..04c86ceb64 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -9,7 +9,6 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.author: ms.date: 10/22/2017 ms.reviewer: manager: dansimp diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index cc3bbbad3c..03c3b38bdf 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -45,7 +45,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections) - **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings. -- **Upgrade Office 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 Business to Office 365 Business Premium. +- **Upgrade Microsoft 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 for business subscription to a Microsoft 365 for business subscription. ## January and February 2018 - **One place for apps, software, and subscriptions** - The new **Products & services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services. @@ -61,7 +61,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file. ## October 2017 -- Bug fixes and performance improvements. +- Bug fixes and performance improvements. ## September 2017 diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index 7f2ec6c3c5..db4fe23b68 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -1,6 +1,6 @@ --- title: How to create a package accelerator (Windows 10) -description: How to create a package accelerator. +description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 197cff66cb..29d79221c5 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -18,7 +18,7 @@ ms.topic: article After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. -For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](). +For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx). >[!NOTE] >The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 9ee527503b..728f4943a1 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -1,6 +1,6 @@ --- title: How to Deploy the App-V Server Using a Script (Windows 10) -description: How to Deploy the App-V Server Using a Script +description: Information, lists, and tables that can help you deploy the App-V server using a script author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index d71a0f0476..14493f0b25 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -1,6 +1,6 @@ --- title: Deploying App-V (Windows 10) -description: Deploying App-V +description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 40175562d2..4379625ee0 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -39,7 +39,7 @@ Before you deploy Office with App-V, review the following requirements. |---|---| |Packaging|All Office applications you wish to deploy to users must be in a single package.
      In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
      If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office).| |Publishing|You can only publish one Office package per client computer.
      You must publish the Office package globally, not to the user.| -|Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
      You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.| +|Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
      You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.| ### Excluding Office applications from a package @@ -285,7 +285,7 @@ Use the steps in this section to enable Office plug-ins with your Office package #### To enable plug-ins for Office App-V packages 1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet. -2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Office 365 ProPlus (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins. +2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins. 3. Create an App-V package that includes the desired plug-ins. 4. Add a Connection Group through App-V Server, Configuration Manager, or a Windows PowerShell cmdlet. 5. Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index 8f016604df..ba7107286e 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,6 +1,6 @@ --- title: Deploying Microsoft Office 2016 by using App-V (Windows 10) -description: Deploying Microsoft Office 2016 by using App-V +description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -39,7 +39,7 @@ Before you deploy Office with App-V, review the following requirements. |-----------|-------------------| | Packaging. | All Office applications that you deploy to users must be in a single package.
      In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
      If you're deploying Microsoft Visio 2016 and Microsoft Project 2016 at the same time as Office, you must put them all in the same package. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). | | Publishing. | You can only publish one Office package per client computer.
      You must publish the Office package globally, not to the user. | -| Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). | +| Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). | ### Excluding Office applications from a package @@ -124,7 +124,7 @@ The XML file included in the Office Deployment Tool specifies the product detail | Language element | Specifies which language the applications support. | `Language ID="en-us"` | | Version (attribute of **Add** element) | Optional. Specifies which build the package will use.
      Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` | | SourcePath (attribute of **Add** element) | Specifies the location the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` | - | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
      The default is **Deferred** for Office 365 ProPlus and **Current** for Visio Pro for Office 365 and Project Desktop Client.
      For more information about update channels, see [Overview of update channels for Office 365 ProPlus](https://docs.microsoft.com/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
      `Channel="Deferred"`
      `Channel="FirstReleaseDeferred"`
      `Channel="FirstReleaseCurrent"` | + | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
      The default is **Deferred** for Microsoft 365 Apps for enterprise and **Current** for Visio Pro for Office 365 and Project Desktop Client.
      For more information about update channels, see [Overview of update channels for Microsoft 365 Apps for enterprise](https://docs.microsoft.com/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
      `Channel="Deferred"`
      `Channel="FirstReleaseDeferred"`
      `Channel="FirstReleaseCurrent"` | After editing the **configuration.xml** file to specify the desired product, languages, and the location where the Office 2016 applications will be saved to, you can save the configuration file under a name of your choice, such as "Customconfig.xml." 2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. The following is an example command: @@ -152,7 +152,7 @@ After you download the Office 2016 applications through the Office Deployment To The following table summarizes the values you need to enter in the **Customconfig.xml** file. The steps in the sections that follow the table will specify the exact entries you need to make. >[!NOTE] ->You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. +>You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. | Product ID | Subscription licensing | |---|---| @@ -268,7 +268,7 @@ The following steps will tell you how to enable Office plug-ins with your Office #### Enable plug-ins for Office App-V packages 1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet. -2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Office 365 ProPlus (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins. +2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins. 3. Create an App-V package that includes the plug-ins you want. 4. Add a Connection Group through the App-V Server, Configuration Manager, or a Windows PowerShell cmdlet. 5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created. diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index df7f76ca07..9eb57e8521 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,6 +1,6 @@ --- title: Evaluating App-V (Windows 10) -description: Evaluating App-V for Windows 10 +description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index 459032925c..bec88a55bf 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -1,6 +1,6 @@ --- title: Application Virtualization (App-V) (Windows 10) -description: Application Virtualization (App-V) +description: See various topics that can help you administer Application Virtualization (App-V) and its components. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 1b1f6592d5..2e1556cb8a 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -1,6 +1,6 @@ --- title: Getting Started with App-V (Windows 10) -description: Getting Started with App-V for Windows 10 +description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index 7209027bb8..f08f5dfe4d 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -1,6 +1,6 @@ --- title: Install the Publishing Server on a Remote Computer (Windows 10) -description: How to Install the App-V Publishing Server on a Remote Computer +description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -38,7 +38,7 @@ Use the following procedure to install the publishing server on a separate compu 3. Enter the server name and a description (if required), then select **Add**. 9. To verify that the publishing server is running correctly, you should import a package to the management server, entitle that package to an AD group, then publish it. Using an internet browser, open the following URL: https://publishingserver:pubport. If the server is running correctly, information like the following example should appear. - ```SQL + ```xml diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index 3b54154537..e03e524b5a 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,6 +1,6 @@ --- title: Maintaining App-V (Windows 10) -description: Maintaining App-V +description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index dac8271c33..da919b1dbf 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -30,7 +30,7 @@ You can use the App-V Sequencer to create plug-in packages for language packs, l For a list of supported Office products, see [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click). >[!NOTE] ->You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Office 365 ProPlus. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744). +>You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Microsoft 365 Apps for enterprise. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744). ## Using App-V with coexisting versions of Office diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index 57989881e0..991209bd1b 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -1,13 +1,13 @@ --- title: Preparing Your Environment for App-V (Windows 10) -description: Preparing Your Environment for App-V -author: lomayor +description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V). ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: +author: dansimp manager: dansimp ms.author: dansimp ms.topic: article diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index cd4469abe5..565f150699 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -1,6 +1,6 @@ --- title: How to publish a package by using the Management console (Windows 10) -description: How to publish a package by using the Management console. +description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index a39eca9e4d..a1b4f90845 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -14,7 +14,7 @@ ms.topic: article --- # App-V Supported Configurations ->Applies to: Windows 10, version 1607; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 +>Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update) This topic specifies the requirements to install and run App-V in your Windows 10 environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md). @@ -34,7 +34,7 @@ The App-V server does not support the following scenarios: ### Management server operating system requirements -You can install the App-V Management server on a server running Windows Server 2008 R2 with SP1 or later. +You can install the App-V Management server on a server running Windows Server 2008 R2 with SP1 (Extended Security Update) or later. >[!IMPORTANT] >Deploying a Management server role to a computer with Remote Desktop Services enabled is not supported. @@ -51,12 +51,15 @@ The following table lists the SQL Server versions that the App-V Management data |SQL Server version|Service pack|System architecture| |---|---|---| +|Microsoft SQL Server 2019||32-bit or 64-bit| |Microsoft SQL Server 2017||32-bit or 64-bit| |Microsoft SQL Server 2016|SP2|32-bit or 64-bit| |Microsoft SQL Server 2014||32-bit or 64-bit| |Microsoft SQL Server 2012|SP2|32-bit or 64-bit| |Microsoft SQL Server 2008 R2|SP3|32-bit or 64-bit| +For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f). + ### Publishing server operating system requirements The App-V Publishing server can be installed on a server that runs Windows Server 2008 R2 with SP1 or later. @@ -101,17 +104,7 @@ Similarly, the App-V Remote Desktop Services (RDS) client is included with Windo ## Sequencer system requirements -The following table lists the operating systems that the App-V Sequencer installation supports. - -|Operating system|Service pack|System architecture| -|---|---|---| -|Microsoft Windows Server 2012 R2||64-bit| -|Microsoft Windows Server 2012||64-bit| -|Microsoft Windows Server 2008 R2|SP1|64-bit| -|Microsoft Windows 10||32-bit and 64-bit| -|Microsoft Windows 8.1||32-bit and 64-bit| -|Microsoft Windows 8||32-bit and 64-bit| -|Microsoft Windows 7|SP1|32-bit and 64-bit| +Sequencer is now part of the Windows Assessment and Deployment Kit (Windows ADK). [Download the latest Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) that is recommended for your version of the Windows OS. ### Sequencer hardware requirements diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 1eb4d1d50b..c27ad32063 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -2,7 +2,7 @@ title: Windows 10 - Apps ms.reviewer: manager: dansimp -description: What are Windows, UWP, and Win32 apps +description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -31,64 +31,61 @@ The following tables list the system apps, installed Windows apps, and provision Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. - ## Provisioned Windows apps -Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809. +You can list all provisioned Windows apps with this PowerShell command: -> [!TIP] -> You can list all provisioned Windows apps with this PowerShell command: -> ``` -> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName -> ``` +```Powershell +Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName +``` -
      +Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909. -| Package name | App name | 1709 | 1803 | 1809 | 1909 | Uninstall through UI? | -|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| -| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes | -| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | -| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | | -| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | -| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.VP9VideoExtensions | | | | x | x | No | -| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | -| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | -| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | +| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? | +|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | x | x | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. @@ -97,13 +94,11 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809. -> [!TIP] -> You can list all system apps with this PowerShell command: -> ``` -> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation -> ``` +You can list all system apps with this PowerShell command: -
      +```Powershell +Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation +``` | Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? | |----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index fdb6834a7a..e7e6041a1d 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -1,6 +1,6 @@ --- title: Change history for Application management in Windows 10 (Windows 10) -description: View changes to documentation for application management in Windows 10. +description: View new release information and updated topics in the documentation for application management in Windows 10. keywords: ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index da98a12e3b..b82c42bf9a 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -13,7 +13,7 @@ ms.author: dansimp ms.topic: article --- -# Enable or block Windows Mixed Reality apps in the enterprise +# Enable or block Windows Mixed Reality apps in enterprises **Applies to** @@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download the FOD .cab file for [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + a. Download the FOD .cab file for [Windows 10, version 20H1](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 1100a66787..4245e9fb23 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,6 +1,6 @@ --- title: Per-user services in Windows 10 and Windows Server -description: Learn about per-user services introduced in Windows 10. +description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 35c0f225b0..91bc510d5f 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are ![Screenshot of folder of admin tools](images/admin-tools-folder.png) -These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool. +These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. @@ -43,6 +43,8 @@ These tools were included in previous versions of Windows and the associated doc - [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494) - [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495) - [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496) +- [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive) +- [Registry Editor](https://docs.microsoft.com/windows/win32/sysinfo/registry) - [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497) - [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498) - [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499) @@ -60,7 +62,3 @@ These tools were included in previous versions of Windows and the associated doc - - - - diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 124846eb32..4af9868736 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -2,7 +2,7 @@ title: Advanced Troubleshooting 802.1X Authentication ms.reviewer: manager: dansimp -description: Learn how 802.1X Authentication works +description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients. keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi ms.prod: w10 ms.mktglfcycl: @@ -73,7 +73,7 @@ The following article explains how to analyze CAPI2 event logs: When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication: -![authenticatior flow chart](images/authenticator_flow_chart.png) +![authenticator flow chart](images/authenticator_flow_chart.png) If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples: diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 54f8565c87..9478b21555 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -20,40 +20,45 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 -From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). +From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). ![Remote Desktop Connection client](images/rdp.png) ->[!TIP] ->Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics) +> [!TIP] +> Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics) ## Set up -- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. -- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connection to an Azure AD joined PC from an unjoined device or a non-Windows 10 device is not supported. -Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. -- On the PC that you want to connect to: - 1. Open system properties for the remote PC. - 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. +- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. +- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported. - ![Allow remote connections to this computer](images/allow-rdp.png) +Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC. - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. - >[!NOTE] - >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet: - > - >`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD. - > - > This command only works for AADJ device users already added to any of the local groups (administrators). - > Otherwise this command throws the below error. For example:
      - > for cloud only user: "There is no such global user or group : *name*"
      - > for synced user: "There is no such global user or group : *name*"
      - > - >In Windows 10, version 1709, the user does not have to sign in to the remote device first. - > - >In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. +- On the PC you want to connect to: + 1. Open system properties for the remote PC. + 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. + + ![Allow remote connections to this computer](images/allow-rdp.png) + + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. + + > [!NOTE] + > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet: + > ```PowerShell + > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" + > ``` + > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. + > + > This command only works for AADJ device users already added to any of the local groups (administrators). + > Otherwise this command throws the below error. For example: + > - for cloud only user: "There is no such global user or group : *name*" + > - for synced user: "There is no such global user or group : *name*"
      + > + > In Windows 10, version 1709, the user does not have to sign in to the remote device first. + > + > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. @@ -61,33 +66,32 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. > [!Note] -> If you cannot connect using Remote Desktop Connection 6.0, then you must turn off new features of RDP 6.0 and revert back to RDP 5.0 by changing a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). - +> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). + ## Supported configurations - -In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using: + +In organizations using integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC by using any of the following: - Password - Smartcards -- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager +- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager. -In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using: +In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network by using any of the following: - Password - Smartcards -- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription. +- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription. -In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using: +In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following: - Password - Smartcards -- Windows Hello for Business, with or without an MDM subscription. +- Windows Hello for Business, with or without an MDM subscription. - -In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using: +In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following: - Password -- Windows Hello for Business, with or without an MDM subscription. +- Windows Hello for Business, with or without an MDM subscription. > [!NOTE] > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). @@ -96,14 +100,3 @@ In organizations using only Azure AD, you can connect from an Azure AD-joined PC [How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop) - - - - - - - - - - - diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index e866b0d7c4..58f94bd27e 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -2,7 +2,7 @@ title: Data collection for troubleshooting 802.1X authentication ms.reviewer: manager: dansimp -description: Data needed for reviewing 802.1X Authentication issues +description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues. keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data ms.prod: w10 ms.mktglfcycl: diff --git a/windows/client-management/determine-appropriate-page-file-size.md b/windows/client-management/determine-appropriate-page-file-size.md index b6abb3661e..8daf0f4ce4 100644 --- a/windows/client-management/determine-appropriate-page-file-size.md +++ b/windows/client-management/determine-appropriate-page-file-size.md @@ -8,8 +8,8 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.date: 8/28/2019 -ms.reviewer: -manager: dcscontentpm +ms.reviewer: dcscontentpm +manager: dansimp --- # How to determine the appropriate page file size for 64-bit versions of Windows diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md index 6601e238eb..52a10357c5 100644 --- a/windows/client-management/generate-kernel-or-complete-crash-dump.md +++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium ms.author: delhan ms.date: 8/28/2019 ms.reviewer: -manager: dcscontentpm +manager: willchen --- # Generate a kernel or complete crash dump @@ -61,7 +61,7 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi 2. Select **Start**, and then select **Command Prompt**. 3. At the command line, run the following command: - ```cmd + ```console notMyfault.exe /crash ``` @@ -80,6 +80,7 @@ To do this, follow these steps: > Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. 1. In Registry Editor, locate the following registry subkey: + **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl** 2. Right-click **CrashControl**, point to **New**, and then click **DWORD Value**. @@ -101,6 +102,8 @@ To do this, follow these steps: 9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction. +If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](https://docs.microsoft.com/azure/virtual-machines/linux/serial-console-nmi-sysrq). + ### Use the keyboard [Forcing a System Crash from the Keyboard](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard) @@ -108,4 +111,3 @@ To do this, follow these steps: ### Use Debugger [Forcing a System Crash from the Debugger](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger) - diff --git a/windows/client-management/index.md b/windows/client-management/index.md index 3838366e1a..477c88252a 100644 --- a/windows/client-management/index.md +++ b/windows/client-management/index.md @@ -1,6 +1,6 @@ --- title: Client management (Windows 10) -description: Windows 10 client management +description: Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index cee81bcd72..2f12bd900f 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -7,8 +7,8 @@ ms.topic: troubleshooting author: Deland-Han ms.localizationpriority: medium ms.author: delhan -ms.reviewer: greglin -manager: dcscontentpm +ms.reviewer: dcscontentpm +manager: dansimp --- # Introduction to page files diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md index 688b2e776c..0511eea424 100644 --- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md @@ -31,7 +31,7 @@ When a device running Windows 10 Mobile is joined to Azure AD, the device can e - Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD. -- SSO in Microsoft Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211). +- SSO in Microsoft Edge browser to Azure AD-connected web applications like Microsoft 365 admin center, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211). - SSO to resources on-premises. @@ -177,7 +177,7 @@ The OneDrive application also uses SSO, showing you all your documents and enabl ![onedrive](images/aadjonedrive.jpg) -In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Office 365 portal, and OneDrive for Business. +In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Microsoft 365 admin center, and OneDrive for Business. ![browser apps](images/aadjbrowser.jpg) diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 9d7b5546ff..211519bdec 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -15,23 +15,18 @@ ms.topic: article # Create mandatory user profiles - **Applies to** -- Windows 10 +- Windows 10 +A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. +Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. -A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. - -Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. - -When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. +When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. - - ## Profile extension for each Windows version The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version. @@ -43,123 +38,114 @@ The name of the folder in which you store the mandatory profile must use the cor | Windows 8 | Windows Server 2012 | v3 | | Windows 8.1 | Windows Server 2012 R2 | v4 | | Windows 10, versions 1507 and 1511 | N/A | v5 | -| Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 | Windows Server 2016 and Windows Server 2019 | v6 | +| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 | -For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). +For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). -## How to create a mandatory user profile +## Mandatory user profile First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to **True** in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory. -**To create a default user profile** +### How to create a default user profile 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. > [!NOTE] > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. -2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. +1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. - >[!NOTE] - >Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). + > [!NOTE] + > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). -3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. +1. [Create an answer file (Unattend.xml)](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). +1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). + > [!NOTE] + > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. - >[!NOTE] - >It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. +1. At a command prompt, type the following command and press **ENTER**. -3. At a command prompt, type the following command and press **ENTER**. + ```dos + sysprep /oobe /reboot /generalize /unattend:unattend.xml + ``` - `sysprep /oobe /reboot /generalize /unattend:unattend.xml` - - (Sysprep.exe is located at: C:\Windows\System32\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) + (Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) > [!TIP] - > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following: - > + > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: + > > ![Microsoft Bing Translator package](images/sysprep-error.png) - > - > Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. + > + > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. -4. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. +1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. -5. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. +1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. -6. In **User Profiles**, click **Default Profile**, and then click **Copy To**. +1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. ![Example of UI](images/copy-to.png) -7. In **Copy To**, under **Permitted to use**, click **Change**. +1. In **Copy To**, under **Permitted to use**, click **Change**. ![Example of UI](images/copy-to-change.png) -8. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. +1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. -9. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#extension) for the operating system version. For example, the folder name must end with “.v6” to identify it as a user profile folder for Windows 10, version 1607. +1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. + - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of UI](images/copy-to-path.png) + ![Example of UI](images/copy-to-path.png) -10. Click **OK** to copy the default user profile. +1. Click **OK** to copy the default user profile. +### How to make the user profile mandatory -**To make the user profile mandatory** +1. In File Explorer, open the folder where you stored the copy of the profile. + > [!NOTE] + > If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes. -3. In File Explorer, open the folder where you stored the copy of the profile. +1. Rename `Ntuser.dat` to `Ntuser.man`. - >[!NOTE] - >If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes. - -4. Rename `Ntuser.dat` to `Ntuser.man`. - -## How to apply a mandatory user profile to users +## Apply a mandatory user profile to users In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server. -**To apply a mandatory user profile to users** +### How to apply a mandatory user profile to users 1. Open **Active Directory Users and Computers** (dsa.msc). -2. Navigate to the user account that you will assign the mandatory profile to. +1. Navigate to the user account that you will assign the mandatory profile to. -3. Right-click the user name and open **Properties**. +1. Right-click the user name and open **Properties**. -4. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\profile.v6, you would enter \\\\*server*\profile. +1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile. -5. Click **OK**. +1. Click **OK**. It may take some time for this change to replicate to all domain controllers. - - ## Apply policies to improve sign-in time When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.) - | Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | | --- | --- | --- | --- | --- | | Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | | Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | | Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | -> [!Note] +> [!NOTE] > The Group Policy settings above can be applied in Windows 10 Professional edition. - - - - ## Related topics - [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies) - [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps) - [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight) - [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm) - diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 9241a7fdf7..476d73c694 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -159,15 +159,15 @@ #### [Personalization DDF file](personalization-ddf.md) ### [Policy CSP](policy-configuration-service-provider.md) #### [Policy DDF file](policy-ddf-file.md) -#### [Policies supported by Group Policy](policies-supported-by-group-policy.md) -#### [ADMX-backed policies](policies-admx-backed.md) -#### [Policies supported by HoloLens 2](policies-supported-by-hololens2.md) -#### [Policies supported by HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md) -#### [Policies supported by HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md) -#### [Policies supported by Windows 10 IoT Enterprise](policies-supported-by-iot-enterprise.md) -#### [Policies supported by Windows 10 IoT Core](policies-supported-by-iot-core.md) -#### [Policies supported by Microsoft Surface Hub](policies-supported-by-surface-hub.md) -#### [Policies that can be set using Exchange Active Sync (EAS)](policies-that-can-be-set-using-eas.md) +#### [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md) +#### [ADMX-backed policy CSPs](policy-csps-admx-backed.md) +#### [Policy CSPs supported by HoloLens 2](policy-csps-supported-by-hololens2.md) +#### [Policy CSPs supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +#### [Policy CSPs supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +#### [Policy CSPs supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) +#### [Policy CSPs supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md) +#### [Policy CSPs supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md) +#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md) #### [AboveLock](policy-csp-abovelock.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 40de22d2b3..7a9545e09a 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -40,7 +40,7 @@ Available naming macros: Supported operation is Add. > [!Note] -> For desktop PCs on the next major release of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md). +> For desktop PCs on Windows 10, version 2004 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md). **Users** Interior node for the user account information. diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 1eae18e33a..79b168c90e 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -45,7 +45,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a ![login to office 365](images/azure-ad-add-tenant5.png) -7. In the Office 365 portal, select **Purchase Services** from the left nagivation. +7. In the Microsoft 365 admin center, select **Purchase Services** from the left nagivation. ![purchase service option in admin center menu](images/azure-ad-add-tenant6.png) @@ -67,7 +67,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription. -1. Sign in to the Office 365 portal at using your organization's account. +1. Sign in to the Microsoft 365 admin center at using your organization's account. ![register azuread](images/azure-ad-add-tenant10.png) diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index 1a79f57833..2c8cfbc647 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -1,6 +1,6 @@ --- title: AllJoynManagement DDF -description: AllJoynManagement DDF +description: Learn the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 121f28dad6..4293995ef5 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -13,17 +13,15 @@ ms.date: 05/21/2019 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike [AppLocker CSP](applocker-csp.md), ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. -Existing WDAC policies deployed using AppLocker CSP’s CodeIntegrity node can now be deployed using ApplicationControl CSP URI. Although WDAC policy deployment via AppLocker CSP will continue to be supported, all new feature work will be done in ApplicationControl CSP only. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. -ApplicationControl CSP was added in Windows 10, version 1903. - -The following diagram shows ApplicationControl CSP in tree format. +The following diagram shows the ApplicationControl CSP in tree format. ![tree diagram for applicationcontrol csp](images/provisioning-csp-applicationcontrol.png) **./Vendor/MSFT/ApplicationControl** -Defines the root node for ApplicationControl CSP. +Defines the root node for the ApplicationControl CSP. Scope is permanent. Supported operation is Get. @@ -33,7 +31,7 @@ An interior node that contains all the policies, each identified by their global Scope is permanent. Supported operation is Get. **ApplicationControl/Policies/_Policy GUID_** -ApplicationControl CSP enforces that the “ID” segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node. +The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node. Scope is dynamic. Supported operation is Get. @@ -121,11 +119,11 @@ Value type is char. For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) -## Non-Intune Usage Guidance +## Generic MDM Server Usage Guidance In order to leverage the ApplicationControl CSP without using Intune, you must: -1. Know a generated policy’s GUID, which can be found in the policy xml as or for pre-1903 systems. +1. Know a generated policy's GUID, which can be found in the policy xml as or for pre-1903 systems. 2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. 3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. @@ -205,7 +203,7 @@ The following example shows the deployment of two base policies and a supplement ### Get policies -Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it. +Perform a GET using a deployed policy's GUID to interrogate/inspect the policy itself or information about it. The following table displays the result of Get operation on different nodes: @@ -265,3 +263,33 @@ The following is an example of Delete command: ``` + +## PowerShell and WMI Bridge Usage Guidance + +The ApplicationControl CSP can also be managed locally from PowerShell or via SCCM's task sequence scripting by leveraging the [WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). + +### Setup for using the WMI Bridge + +1. Convert your WDAC policy to Base64 +2. Open PowerShell in Local System context (through PSExec or something similar) +3. Use WMI Interface: + + ```powershell + $namespace = "root\cimv2\mdm\dmmap" + $policyClassName = "MDM_AppControl_Policies" + $policyBase64 = … + ``` + +### Deploying a policy via WMI Bridge + +Run the following command. PolicyID is a GUID which can be found in the policy xml, and should be used here without braces. + +```powershell + New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="";Policy=$policyBase64} +``` + +### Querying all policies via WMI Bridge + +```powershell +Get-CimInstance -Namespace $namespace -ClassName $policyClassName +``` diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 5f163fa7a7..3a1f4b6002 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -34,6 +34,8 @@ Defines restrictions for applications. > > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. +> [!NOTE] +> Deploying policies via the AppLocker CSP will force a reboot during OOBE. Additional information: @@ -1754,7 +1756,7 @@ In this example, Contoso is the node name. We recommend using a GUID for this no - + diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index fde531cbc9..ffd93b2784 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -1,6 +1,6 @@ --- title: AppLocker DDF file -description: AppLocker DDF file +description: See the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider. ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index cd4c993d17..0e1870a49d 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -1,6 +1,6 @@ --- title: Deploy and configure App-V apps using MDM -description: Deploy and configure App-V apps using MDM +description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Configuration Manager or App-V server. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index b8eb37197c..3a48ac399e 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -14,8 +14,6 @@ ms.date: 09/18/2018 # AssignedAccess CSP -**Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.** - The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 24d475d6e4..413f6d9c1e 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -9,7 +9,6 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 09/05/2017 --- # Azure Active Directory integration with MDM @@ -37,7 +36,8 @@ Windows 10 introduces a new way to configure and deploy corporate owned Windows Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD. -> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. +> [!IMPORTANT] +> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. ### BYOD scenario @@ -60,7 +60,8 @@ For Azure AD enrollment to work for an Active Directory Federated Services (AD F Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar. -> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. +> [!NOTE] +> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. ### MDM endpoints involved in Azure AD integrated enrollment @@ -80,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use **Terms of Use endpoint** Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins. -It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies). +It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies). The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. @@ -103,7 +104,8 @@ A cloud-based MDM is a SaaS application that provides device management capabili The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661). -> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. +> [!NOTE] +> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs. @@ -136,7 +138,7 @@ For more information about how to register a sample application with Azure AD, s An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD. -The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use. +To add an on-premises MDM application to the tenant, there is an entry under the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use. Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. @@ -236,7 +238,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is CXH-HOST (HTTP HEADER) -Senario +Scenario Background Theme WinJS Scenario CSS @@ -343,14 +345,14 @@ The following claims are expected in the access token passed by Windows to the T -> Note There is no device ID claim in the access token because the device may not yet be enrolled at this time. +> [!NOTE] +> There is no device ID claim in the access token because the device may not yet be enrolled at this time. - To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). Here's an example URL. -``` syntax +```console https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0 Authorization: Bearer eyJ0eXAiOi ``` @@ -390,7 +392,7 @@ If an error was encountered during the terms of use processing, the MDM can retu Here is the URL format: -``` syntax +```console HTTP/1.1 302 Location: ?error=access_denied&error_description=Access%20is%20denied%2E @@ -426,7 +428,7 @@ The following table shows the error codes.

      unsupported version

      -

      Tenant or user data are missingor other required prerequisites for device enrollment are not met

      +

      Tenant or user data are missing or other required prerequisites for device enrollment are not met

      302

      unauthorized_client

      unauthorized user or tenant

      @@ -601,7 +603,7 @@ In this scenario, the MDM enrollment applies to a single user who initially adde **Evaluating Azure AD user tokens** The Azure AD token is in the HTTP Authorization header in the following format: -``` syntax +```console Authorization:Bearer ``` @@ -621,7 +623,7 @@ Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example: -``` syntax +```xml Alert Type: com.microsoft/MDM/AADUserToken Alert sample: @@ -636,7 +638,7 @@ Alert sample: UserToken inserted here - … other xml tags … + … other XML tags … ``` @@ -665,7 +667,7 @@ Here's an example. user - … other xml tags … + … other XML tags … ``` @@ -682,9 +684,10 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it. -> **Note**  This is only applicable for approved MDM apps on Windows 10 devices. +> [!NOTE] +> This is only applicable for approved MDM apps on Windows 10 devices. -``` syntax +```console Sample Graph API Request: PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 @@ -713,7 +716,7 @@ Response: When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenerollment](images/azure-ad-unenrollment.png) +![aadj unenrollment](images/azure-ad-unenrollment.png) ## Error codes @@ -921,4 +924,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di - diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 6ba943ffca..3a1ecfb0f9 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -7,15 +7,12 @@ ms.prod: w10 ms.technology: windows author: lomayor ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 04/16/2020 ms.reviewer: manager: dansimp --- # BitLocker CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro. > [!NOTE] @@ -25,7 +22,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns the setting configured by the admin. -For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). +For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). The following diagram shows the BitLocker configuration service provider in tree format. @@ -162,7 +159,7 @@ If you want to disable this policy, use the following SyncML: **EncryptionMethodByDriveType** -Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". +Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". @@ -215,7 +212,7 @@ EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operat EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. - The possible values for 'xx' are: + The possible values for 'xx' are: - 3 = AES-CBC 128 - 4 = AES-CBC 256 @@ -237,7 +234,7 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov chr - <disabled/> + ``` @@ -247,7 +244,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRequireStartupAuthentication** -This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup". +This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
      @@ -284,12 +281,12 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker. +This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker. > [!NOTE] > Only one of the additional authentication options can be required at startup, otherwise an error occurs. -If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. +If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. @@ -317,13 +314,13 @@ Data id:
    • ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
      • -The possible values for 'xx' are: +The possible values for 'xx' are:
      • true = Explicitly allow
      • false = Policy not set
      -The possible values for 'yy' are: +The possible values for 'yy' are:
      • 2 = Optional
      • 1 = Required
        • @@ -333,25 +330,25 @@ The possible values for 'yy' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesMinimumPINLength** -This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup". +This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
      @@ -408,18 +405,18 @@ Sample value for this node to enable this policy is: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -427,7 +424,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryMessage** -This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" +This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name). @@ -468,11 +465,11 @@ ADMX Info: This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. -If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). +If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). -If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. +If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. -If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. +If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. Sample value for this node to enable this policy is: @@ -480,7 +477,7 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are: - 0 = Empty - 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). @@ -495,18 +492,18 @@ The possible values for 'xx' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage + + + chr + + + + ``` > [!NOTE] @@ -517,7 +514,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). +This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
      @@ -556,18 +553,18 @@ ADMX Info: This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. -The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. +The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. -In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. +In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. +Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. -Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. +Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. -Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -> [!Note] -> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. +> [!NOTE] +> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. @@ -579,34 +576,34 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are: - true = Explicitly allow - false = Policy not set -The possible values for 'yy' are: +The possible values for 'yy' are: - 2 = Allowed - 1 = Required - 0 = Disallowed -The possible values for 'zz' are: +The possible values for 'zz' are: - 2 = Store recovery passwords only - 1 = Store recovery passwords and key packages Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -614,7 +611,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). +This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
      @@ -653,19 +650,20 @@ ADMX Info: This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. -The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. +The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. -In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. +In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. +Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. -Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. +Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. -Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. +Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. -> [!Note]
      > If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. +> [!NOTE] +> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. @@ -677,13 +675,13 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are:
      • true = Explicitly allow
      • false = Policy not set
      -The possible values for 'yy' are: +The possible values for 'yy' are:
      • 2 = Allowed
      • 1 = Required
        • @@ -691,7 +689,7 @@ The possible values for 'yy' are:
      -The possible values for 'zz' are: +The possible values for 'zz' are:
      • 2 = Store recovery passwords only
      • 1 = Store recovery passwords and key packages
        • @@ -700,18 +698,18 @@ The possible values for 'zz' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -719,7 +717,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). +This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
      @@ -769,18 +767,18 @@ Sample value for this node to enable this policy is: If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -788,7 +786,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **RemovableDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). +This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
      @@ -829,11 +827,12 @@ This setting configures whether BitLocker protection is required for a computer If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. -If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. +If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. -> [!Note]
      > This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. +> [!NOTE] +> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. Sample value for this node to enable this policy is: @@ -841,7 +840,7 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are:
      • true = Explicitly allow
      • false = Policy not set
        • @@ -850,18 +849,18 @@ The possible values for 'xx' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption + + + chr + + + + ``` @@ -931,12 +930,35 @@ The following list shows the supported values: Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account. + > [!NOTE] > This policy is only supported in Azure AD accounts. "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced. If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. + +
      + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      + The expected values for this policy are: @@ -1058,7 +1080,7 @@ Interior node. Supported operation is Get. **Status/DeviceEncryptionStatus** -This node reports compliance state of device encryption on the system. +This node reports compliance state of device encryption on the system. @@ -1084,12 +1106,33 @@ This node reports compliance state of device encryption on the system. +Value type is int. Supported operation is Get. + Supported values: - 0 - Indicates that the device is compliant. -- Any other value represents a non-compliant device. +- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table: + +| Bit | Error Code | +|-----|------------| +| 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| +| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| +| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| +| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| +| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| +| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| +| 7 |The OS volume is unprotected.| +| 8 |Recovery key backup failed.| +| 9 |A fixed drive is unprotected.| +| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.| +| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.| +| 12 |Windows Recovery Environment (WinRE) isn't configured.| +| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. | +| 14 |The TPM isn't ready for BitLocker.| +| 15 |The network isn't available, which is required for recovery key backup. | +| 16-31 |For future use.| -Value type is int. Supported operation is Get. @@ -1211,10 +1254,10 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType - <enabled/> - <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/> - <data id="EncryptionMethodWithXtsFdvDropDown_Name" value="7"/> - <data id="EncryptionMethodWithXtsRdvDropDown_Name" value="4"/> + + + + @@ -1226,12 +1269,12 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication - <enabled/> - <data id="ConfigureNonTPMStartupKeyUsage_Name" value="true"/> - <data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="2"/> - <data id="ConfigurePINUsageDropDown_Name" value="2"/> - <data id="ConfigureTPMPINKeyUsageDropDown_Name" value="2"/> - <data id="ConfigureTPMUsageDropDown_Name" value="2"/> + + + + + + @@ -1243,8 +1286,8 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - <enabled/> - <data id="MinPINLength" value="6"/> + + @@ -1256,10 +1299,10 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - <enabled/> - <data id="RecoveryMessage_Input" value="blablablabla"/> - <data id="PrebootRecoveryInfoDropDown_Name" value="2"/> - <data id="RecoveryUrl_Input" value="blablabla"/> + + + + @@ -1271,14 +1314,14 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - <enabled/> - <data id="OSAllowDRA_Name" value="true"/> - <data id="OSRecoveryPasswordUsageDropDown_Name" value="2"/> - <data id="OSRecoveryKeyUsageDropDown_Name" value="2"/> - <data id="OSHideRecoveryPage_Name" value="true"/> - <data id="OSActiveDirectoryBackup_Name" value="true"/> - <data id="OSActiveDirectoryBackupDropDown_Name" value="2"/> - <data id="OSRequireActiveDirectoryBackup_Name" value="true"/> + + + + + + + + @@ -1290,14 +1333,14 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - <enabled/> - <data id="FDVAllowDRA_Name" value="true"/> - <data id="FDVRecoveryPasswordUsageDropDown_Name" value="2"/> - <data id="FDVRecoveryKeyUsageDropDown_Name" value="2"/> - <data id="FDVHideRecoveryPage_Name" value="true"/> - <data id="FDVActiveDirectoryBackup_Name" value="true"/> - <data id="FDVActiveDirectoryBackupDropDown_Name" value="2"/> - <data id="FDVRequireActiveDirectoryBackup_Name" value="true"/> + + + + + + + + @@ -1309,7 +1352,7 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - <enabled/> + @@ -1321,8 +1364,8 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - <enabled/> - <data id="RDVCrossOrg" value="true"/> + + @@ -1331,4 +1374,5 @@ The following example is provided to show proper format and should not be taken ``` + diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 19421997ba..edf7ea7a4b 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -14,9 +14,6 @@ manager: dansimp # BitLocker DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index 26580c5095..415aa6a9b9 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -1,6 +1,6 @@ --- title: Certificate Renewal -description: The enrolled client certificate expires after a period of use. +description: Find all the resources needed to provide continuous access to client certificates. MS-HAID: - 'p\_phdevicemgmt.certificate\_renewal' - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 1ed78230d4..6e878defd1 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -1,6 +1,6 @@ --- title: CertificateStore CSP -description: CertificateStore CSP +description: Use the The CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates. ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 8837ad757e..0f2ec33a8f 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -1,6 +1,6 @@ --- title: ClientCertificateInstall CSP -description: ClientCertificateInstall CSP +description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates. ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 567dfd207e..02f2910d16 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -1,6 +1,6 @@ --- title: CM\_CellularEntries CSP -description: CM\_CellularEntries CSP +description: Configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP. ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 301c28ea8e..828700b85a 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -1,6 +1,6 @@ --- title: CM\_ProxyEntries CSP -description: CM\_ProxyEntries CSP +description: Configure proxy connections on mobile devices using CM\_ProxyEntries CSP. ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 1dfca8abb1..67872d03da 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -1,6 +1,6 @@ --- title: CMPolicy CSP -description: CMPolicy CSP +description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections. ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 68141ff2a5..59751b300b 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -9,14 +9,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 05/13/2019 +ms.date: 06/03/2020 --- # Configuration service provider reference -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download). @@ -2699,6 +2696,7 @@ Additional lists: ## CSP DDF files download You can download the DDF files for various CSPs from the links below: +- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1809](https://download.microsoft.com/download/6/A/7/6A735141-5CFA-4C1B-94F4-B292407AF662/Windows10_1809_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1803](https://download.microsoft.com/download/6/2/7/6276FE19-E3FD-4254-9C16-3C31CAA2DE50/Windows10_1803_DDF_download.zip) @@ -2714,15 +2712,15 @@ The following list shows the CSPs supported in HoloLens devices: | Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 | |------|--------|--------|--------| -| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | ![check mark](images/checkmark.png) +| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | [Accounts CSP](accounts-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) | -| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | ![check mark](images/checkmark.png) | +| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) | | [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) | +| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) | | [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2731,11 +2729,12 @@ The following list shows the CSPs supported in HoloLens devices: | [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| | [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | ![check mark](images/checkmark.png) | +| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2806,3 +2805,5 @@ The following list shows the CSPs supported in HoloLens devices: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 746d5b282e..0842fb0031 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,6 +1,6 @@ --- title: Defender CSP -description: Defender CSP +description: See how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C ms.reviewer: manager: dansimp @@ -15,9 +15,6 @@ ms.date: 10/21/2019 # Defender CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. The following image shows the Windows Defender configuration service provider in tree format. @@ -272,6 +269,8 @@ Supported operation is Get. **Health/QuickScanOverdue** Indicates whether a Windows Defender quick scan is overdue for the device. +A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default) + The data type is a boolean. Supported operation is Get. @@ -279,6 +278,8 @@ Supported operation is Get. **Health/FullScanOverdue** Indicates whether a Windows Defender full scan is overdue for the device. +A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default) + The data type is a boolean. Supported operation is Get. @@ -415,11 +416,11 @@ Node that can be used to perform signature updates for Windows Defender. Supported operations are Get and Execute. **OfflineScan** -Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. After the next OS reboot, the device will start in Windows Defender offline mode to begin the scan. +Added in Windows 10, version 1803. OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan. Supported operations are Get and Execute. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index e5c1dcd59e..60c2372aed 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -1,6 +1,6 @@ --- title: Defender DDF file -description: Defender DDF file +description: See how the the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used. ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65 ms.reviewer: manager: dansimp @@ -15,7 +15,6 @@ ms.date: 10/21/2019 # Defender DDF file - This topic shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 859ffd1672..285d96ddf8 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -14,9 +14,6 @@ ms.date: 03/27/2020 # DevDetail CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands. > [!NOTE] @@ -135,7 +132,7 @@ Value type is string. Supported operations are Get and Replace. **Ext/Microsoft/DNSComputerName** -Added in the next major release of Windows 10. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md). +Added in Windows 10, version 2004. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md). The following are the available naming macros: diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 47df0219d5..0ab07220b6 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -9,14 +9,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 07/11/2018 +ms.date: 06/03/2020 --- # DevDetail DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -724,4 +721,5 @@ The XML below is the current version for this CSP. + ``` diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index 7252e076c2..ba02947ada 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -1,6 +1,6 @@ --- title: DevInfo CSP -description: DevInfo CSP +description: Learn now the DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. ms.assetid: d3eb70db-1ce9-4c72-a13d-651137c1713c ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 25b59bccc1..2e1b590d91 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -24,8 +24,8 @@ ms.date: 06/26/2017 # DMProcessConfigXMLFiltered function -> **Important**   -The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](https://msdn.microsoft.com/library/windows/hardware/dn757424) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses. +> [!Important] +> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](https://msdn.microsoft.com/library/windows/hardware/dn757424) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses. Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios. diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 384babdddb..00caaaa35d 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -1,6 +1,6 @@ --- title: Enable ADMX-backed policies in MDM -description: Guide to configuring ADMX-backed policies in MDM +description: Use this is a step-by-step guide to configuring ADMX-backed policies in MDM. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -33,9 +33,9 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( ## Enable a policy > [!NOTE] -> See [Understanding ADMX-backed policies](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies). +> See [Understanding ADMX-backed policy CSPs](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies). -1. Find the policy from the list [ADMX-backed policies](policies-admx-backed.md). You need the following information listed in the policy description. +1. Find the policy from the list [ADMX-backed policies](policy-csps-admx-backed.md). You need the following information listed in the policy description. - GP English name - GP name - GP ADMX file name @@ -65,37 +65,37 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( In this example you configure **Enable App-V Client** to **Enabled**. -> [!NOTE] -> The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. - -```xml - - - - 2 - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient - - - - - - - -``` + > [!NOTE] + > The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. + + ```xml + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient + + + + + + + + ``` ## Enable a policy that requires parameters -1. Create the SyncML to enable the policy that requires parameters. + 1. Create the SyncML to enable the policy that requires parameters. - In this example, the policy is in **Administrative Templates > System > App-V > Publishing**. + In this example, the policy is in **Administrative Templates > System > App-V > Publishing**. 1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy. @@ -107,7 +107,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2). - ![Publishing server 2 policy description](images/admx-appv-policy-description.png) + ![Publishing server 2 policy description](images/admx-appv-policy-description.png) 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx. @@ -227,41 +227,41 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( Here is the example for **AppVirtualization/PublishingAllowServer2**: -> [!NOTE] -> The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. - - ```xml - - - - - 2 - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 - - - ]]> - - - - - - - ``` + > [!NOTE] + > The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. + + ```xml + + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 + + + ]]> + + + + + + + ``` ## Disable a policy diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index dcc548afd6..b03d28832e 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -37,7 +37,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/). +In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/) For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. @@ -52,10 +52,10 @@ The following steps demonstrate required settings using the Intune service: ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) -> [!IMPORTANT] -> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. - -> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. + > [!IMPORTANT] + > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. + > + > For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. 3. Verify that the device OS version is Windows 10, version 1709 or later. 4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. @@ -94,7 +94,7 @@ You may contact your domain administrators to verify if the group policy has bee This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). Requirements: -- AD-joined PC running Windows 10, version 1709 +- AD-joined PC running Windows 10, version 1709 or later - Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD @@ -110,27 +110,27 @@ Requirements: ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Enable Automatic MDM enrollment using default Azure AD credentials**. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available. ![MDM autoenrollment policy](images/autoenrollment-policy.png) 5. Click **Enable**, then click **OK**. -> [!NOTE] -> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed. -The default behavior for older releases is to revert to **User Credential**. + > [!NOTE] + > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. + > The default behavior for older releases is to revert to **User Credential**. -When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." -To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). + To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). -If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. + If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. -![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) + ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) -> [!Tip] -> You can avoid this behavior by using Conditional Access Policies in Azure AD. -Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). + > [!Tip] + > You can avoid this behavior by using Conditional Access Policies in Azure AD. + Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). 6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account. @@ -160,27 +160,28 @@ Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/a ## Configure the auto-enrollment for a group of devices Requirements: -- AD-joined PC running Windows 10, version 1709 +- AD-joined PC running Windows 10, version 1709 or later - Enterprise has MDM service already configured (with Intune or a third party service provider) - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. -> [!IMPORTANT] -> If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803, version 1809, or version 1903. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible): -> 1. Download: -> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or -> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or -> 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all) -> 2. Install the package on the Domain Controller. -> 3. Navigate, depending on the version to the folder: -> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or -> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or -> 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** -> 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. -> 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. -> (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain). -> 6. Restart the Domain Controller for the policy to be available. -> This procedure will work for any future version as well. +[!IMPORTANT] +If you do not see the policy, it may be because you don’t have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible): + 1. Download: + 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or + 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or + 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all) + 2. Install the package on the Domain Controller. + 3. Navigate, depending on the version to the folder: + 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or + 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or + 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** + 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. + 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. + (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain). + 6. Restart the Domain Controller for the policy to be available. + + This procedure will work for any future version as well. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. 2. Create a Security Group for the PCs. @@ -188,7 +189,6 @@ Requirements: 4. Filter using Security Groups. ## Troubleshoot auto-enrollment of devices - Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. To collect Event Viewer logs: @@ -242,10 +242,10 @@ To collect Event Viewer logs: - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx) - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx) - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) +- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) ### Useful Links - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) -- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index ab13935f66..22445122ec 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseAppVManagement CSP -description: EnterpriseAppVManagement CSP +description: Examine the tree format for EnterpriseAppVManagement configuration service provider (CSP) to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md index f73c18d744..3ee96832c7 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md @@ -1,6 +1,6 @@ --- title: EnterpriseAssignedAccess XSD -description: EnterpriseAssignedAccess XSD +description: This XSD can be used to validate that the lockdown XML in the \ block of the AssignedAccessXML node. ms.assetid: BB3B633E-E361-4B95-9D4A-CE6E08D67ADA ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 70759a6c03..8cc8149b7f 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -14,17 +14,17 @@ ms.date: 08/09/2017 # EnterpriseDataProtection CSP -The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). +The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). -> **Note**   ->- To make WIP functional the AppLocker CSP and the network isolation specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). ->- This CSP was added in Windows 10, version 1607. +> [!Note] +> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). +> - This CSP was added in Windows 10, version 1607. While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). -To learn more about WIP, see the following TechNet topics: +To learn more about WIP, see the following articles: - [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) - [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) @@ -34,79 +34,82 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format. ![enterprisedataprotection csp diagram](images/provisioning-csp-enterprisedataprotection.png) **./Device/Vendor/MSFT/EnterpriseDataProtection** -

      The root node for the CSP. +The root node for the CSP. **Settings** -

      The root node for the Windows Information Protection (WIP) configuration settings. +The root node for the Windows Information Protection (WIP) configuration settings. **Settings/EDPEnforcementLevel** -

      Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. +Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. -

      The following list shows the supported values: +The following list shows the supported values: - 0 (default) – Off / No protection (decrypts previously protected data). - 1 – Silent mode (encrypt and audit only). - 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). - 3 – Hides overrides (encrypt, prompt but hide overrides, and audit). -

      Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames** -

      A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. +A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. -

      Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. +Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. -> **Note**  The client requires domain name to be canonical, otherwise the setting will be rejected by the client. +> [!Note] +> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. -

      Here are the steps to create canonical domain names: +Here are the steps to create canonical domain names: -1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. +1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). -

      Supported operations are Add, Get, Replace and Delete. Value type is string. +Supported operations are Add, Get, Replace, and Delete. Value type is string. **Settings/AllowUserDecryption** -

      Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. +Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. > [!IMPORTANT] > Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. -

      The following list shows the supported values: +The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -

      Most restricted value is 0. +Most restricted value is 0. -

      Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RequireProtectionUnderLockConfig** -

      Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. +Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. -

      The following list shows the supported values: +The following list shows the supported values: - 0 (default) – Not required. - 1 – Required. -

      Most restricted value is 1. +Most restricted value is 1. -

      The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. +The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. -> **Note**  This setting is only supported in Windows 10 Mobile. +> [!Note] +> This setting is only supported in Windows 10 Mobile. -

      Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/DataRecoveryCertificate** -

      Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy. +Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. -> **Note**  If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced. +> [!Note] +> If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced. -

      DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. +DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. The binary blob is the serialized version of following structure: ``` syntax @@ -231,60 +234,59 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { ``` -

      For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. +For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. -

      Supported operations are Add, Get, Replace and Delete. Value type is base-64 encoded certificate. +Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. **Settings/RevokeOnUnenroll** -

      This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. +This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. -

      The following list shows the supported values: +The following list shows the supported values: - 0 – Don't revoke keys. - 1 (default) – Revoke keys. -

      Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** -

      Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. +Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. - 0 - Don't revoke keys - 1 (default) - Revoke keys -

      Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RMSTemplateIDForEDP** -

      TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. +TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. -

      Supported operations are Add, Get, Replace and Delete. Value type is string (GUID). +Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID). **Settings/AllowAzureRMSForEDP** -

      Specifies whether to allow Azure RMS encryption for WIP. +Specifies whether to allow Azure RMS encryption for WIP. - 0 (default) – Don't use RMS. - 1 – Use RMS. -

      Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -

      Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. -

      When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. -

      Supported operations are Add, Get, Replace and Delete. Value type is string. +Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. +When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. +Supported operations are Add, Get, Replace and Delete. Value type is string. **Settings/EDPShowIcons** -

      Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. - -

      The following list shows the supported values: +Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. +The following list shows the supported values: - 0 (default) - No WIP overlays on icons or tiles. - 1 - Show WIP overlays on protected files and apps that can only create enterprise content. -

      Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Status** -

      A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. +A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. -

      Suggested values: +Suggested values:

      @@ -319,13 +321,13 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { -

      Bit 0 indicates whether WIP is on or off. +Bit 0 indicates whether WIP is on or off. -

      Bit 1 indicates whether AppLocker WIP policies are set. +Bit 1 indicates whether AppLocker WIP policies are set. -

      Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). +Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). -

      Here's the list of mandatory WIP policies: +Here's the list of mandatory WIP policies: - EDPEnforcementLevel in EnterpriseDataProtection CSP - DataRecoveryCertificate in EnterpriseDataProtection CSP @@ -333,9 +335,9 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { - NetworkIsolation/EnterpriseIPRange in Policy CSP - NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP -

      Bits 2 and 4 are reserved for future use. +Bits 2 and 4 are reserved for future use. -

      Supported operation is Get. Value type is integer. +Supported operation is Get. Value type is integer. diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index 3e7c2b1693..8f00e3fe0b 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseExtFileSystem CSP -description: EnterpriseExtFileSystem CSP +description: Add, retrieve, or change files through the Mobile Device Management (MDM) service using the EnterpriseExtFileSystem CSP. ms.assetid: F773AD72-A800-481A-A9E2-899BA56F4426 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 1c440edf96..5384ce0168 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -14,9 +14,6 @@ ms.date: 09/27/2019 # EnterpriseModernAppManagement CSP -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). > [!Note] @@ -329,6 +326,7 @@ Required. The value is 0 or 1 that indicates if the app is provisioned on the de Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsStub** +Added in Windows 10, version 2004. Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index c9d550f250..aa2cdb680b 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -14,9 +14,6 @@ ms.date: 10/01/2019 # EnterpriseModernAppManagement DDF -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index 99150bef80..f7544b10a4 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -1,6 +1,6 @@ --- title: EnterpriseModernAppManagement XSD -description: Here is the XSD for the application parameters. +description: Use the EnterpriseModernAppManagement XSD for set application parameters. ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 386f5a8c48..9251f6a755 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -8,7 +8,7 @@ ms.sitesec: library author: dansimp ms.localizationpriority: medium ms.author: dansimp -ms.topic: +ms.topic: conceptual --- # How Mobile Device Management Providers support eSIM Management on Windows diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index b8f27a73dc..1fae08c646 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -1,6 +1,6 @@ --- title: Firewall CSP -description: Firewall CSP +description: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index 772d402b87..87699a8b11 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -1,6 +1,6 @@ --- title: Get offline license -description: The Get offline license operation retrieves the offline license information of a product from the Micosoft Store for Business. +description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business. ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get offline license -The **Get offline license** operation retrieves the offline license information of a product from the Micosoft Store for Business. +The **Get offline license** operation retrieves the offline license information of a product from the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md index 394b64e58c..5ad2851bc5 100644 --- a/windows/client-management/mdm/get-product-packages.md +++ b/windows/client-management/mdm/get-product-packages.md @@ -1,6 +1,6 @@ --- title: Get product packages -description: The Get product packages operation retrieves the information about applications in the Micosoft Store for Business. +description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business. ms.assetid: 039468BF-B9EE-4E1C-810C-9ACDD55C0835 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get product packages -The **Get product packages** operation retrieves the information about applications in the Micosoft Store for Business. +The **Get product packages** operation retrieves the information about applications in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index 2169488622..598d24ea19 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -1,6 +1,6 @@ --- title: Get seat -description: The Get seat operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. +description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get seat -The **Get seat** operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. +The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index 21d8f631c1..a510b2460c 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -1,6 +1,6 @@ --- title: Get seats -description: The Get seats operation retrieves the information about active seats in the Micosoft Store for Business. +description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business. ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get seats -The **Get seats** operation retrieves the information about active seats in the Micosoft Store for Business. +The **Get seats** operation retrieves the information about active seats in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png index 6ece851369..76df1eafea 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png index 5c90ec5a2b..4328edcad7 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png index 498ce66f47..f123d98073 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png differ diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 254c91259b..57d1c57718 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -151,13 +151,13 @@ We have updated Skype for Business to work with MAM. The following table explain

      +

      Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)

      - + diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 87c13cbc3e..ffcc4f3baa 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -313,7 +313,7 @@ The deep link used for connecting your device to work will always use the follow > **Note** Deep links only work with Internet Explorer or Edge browsers. When connecting to MDM using a deep link, the URI you should use is -**ms-device-enrollment:?mode=mdm** +**ms-device-enrollment:?mode=mdm** **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=** The following procedure describes how users can connect their devices to MDM using deep links. diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 38e128bd28..1d91d3ec3b 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -1,6 +1,6 @@ --- title: Mobile device enrollment -description: Mobile device enrollment is the first phase of enterprise management. +description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. ms.assetid: 08C8B3DB-3263-414B-A368-F47B94F47A11 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index ad7b6964a4..430601798d 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -24,6 +24,7 @@ This topic provides information about what's new and breaking changes in Windows For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). - **What’s new in MDM for Windows 10 versions** + - [What’s new in MDM for Windows 10, version 2004](#whats-new-in-mdm-for-windows-10-version-2004) - [What’s new in MDM for Windows 10, version 1909](#whats-new-in-mdm-for-windows-10-version-1909) - [What’s new in MDM for Windows 10, version 1903](#whats-new-in-mdm-for-windows-10-version-1903) - [What’s new in MDM for Windows 10, version 1809](#whats-new-in-mdm-for-windows-10-version-1809) @@ -58,6 +59,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What is dmwappushsvc?](#what-is-dmwappushsvc) - **Change history in MDM documentation** + - [June 2020](#june-2020) + - [May 2020](#may-2020) - [February 2020](#february-2020) - [January 2020](#january-2020) - [November 2019](#november-2019) @@ -87,6 +90,58 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [September 2017](#september-2017) - [August 2017](#august-2017) +## What’s new in MDM for Windows 10, version 2004 +
      March 9 2017

      Visio Pro for Office 365

      Project Desktop Client

      -

      Office 365 Business (the version of Office that comes with some Office 365 plans, such as Business Premium.)
      Deferred channel Provide users with new features of Office only a few times a year. October 10 2017Office 365 ProPlusMicrosoft 365 Apps for enterprise
      First release for Deferred channel Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.
      ++++ + + + + + + + + + + + + + + + + + + + + +
      New or updated topicDescription
      Policy CSP

      Added the following new policies in Windows 10, version 2004:

      + + +

      Updated the following policy in Windows 10, version 2004:

      + + +

      Deprecated the following policies in Windows 10, version 2004:

      + +
      DevDetail CSP

      Added the following new node:
      Ext/Microsoft/DNSComputerName

      +
      EnterpriseModernAppManagement CSP

      Added the following new node:
      IsStub

      +
      SUPL CSP

      Added the following new node:
      FullVersion

      +
      + ## What’s new in MDM for Windows 10, version 1909 @@ -429,6 +484,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
    • TextInput/TouchKeyboardSplitModeAvailability
    • TextInput/TouchKeyboardWideModeAvailability
    • Update/ConfigureFeatureUpdateUninstallPeriod
      • +
    • Update/TargetReleaseVersion
    • UserRights/AccessCredentialManagerAsTrustedCaller
    • UserRights/AccessFromNetwork
    • UserRights/ActAsPartOfTheOperatingSystem
      • @@ -658,7 +714,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam - + @@ -709,6 +765,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
    • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
    • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
    • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
      • +
    • LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
    • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
    • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
    • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
      • @@ -1874,7 +1931,8 @@ Alternatively you can use the following procedure to create an EAP Configuration ![vpn selfhost properties window](images/certfiltering1.png) - > **Note**  For PEAP or TTLS, select the appropriate method and continue following this procedure. + > [!NOTE] + > For PEAP or TTLS, select the appropriate method and continue following this procedure. 3. Click the **Properties** button underneath the drop down menu. 4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. @@ -1888,7 +1946,7 @@ Alternatively you can use the following procedure to create an EAP Configuration 8. Continue following the procedure in the [EAP configuration](eap-configuration.md) topic from Step 9 to get an EAP TLS profile with appropriate filtering. > [!NOTE] ->You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic. +> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx). ### Remote PIN reset not supported in Azure Active Directory joined mobile devices @@ -1936,6 +1994,18 @@ What data is handled by dmwappushsvc? | It is a component handling the internal How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. | ## Change history in MDM documentation +### June 2020 +|New or updated topic | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.| +|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:
      EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.| + +### May 2020 +|New or updated topic | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| +|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table. + ### February 2020 |New or updated topic | Description| @@ -2433,7 +2503,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o

      Added a new section:

        -
      • Policies supported by Group Policy - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.
        • +
      • [Policy CSPs supported by Group Policy - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.
      @@ -2562,6 +2632,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
    • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
    • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
    • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      • +
    • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
    • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
    • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
      • diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 9072c3eb82..045b8152d9 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -1,6 +1,6 @@ --- title: NodeCache CSP -description: NodeCache CSP +description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache. ms.assetid: b4dd2b0d-79ef-42ac-ab5b-ee07b3097876 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index ec46006921..58e1e0a8e9 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -65,7 +65,7 @@ The only supported operation is Get. ## Examples -Sample SyncML to install Office 365 Business Retail from current channel. +Sample SyncML to install Microsoft 365 Apps for business Retail from current channel. ```xml diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 7f8b60345e..88e2b4dee5 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -14,9 +14,6 @@ ms.date: 08/15/2018 # Office DDF -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index e852fe64e8..40757af748 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -1,6 +1,6 @@ --- title: OMA DM protocol support -description: OMA DM protocol support +description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. ms.assetid: e882aaae-447e-4bd4-9275-463824da4fa0 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index e3914d786d..8d4f260502 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,6 +1,6 @@ --- title: Personalization CSP -description: Personalization CSP +description: Use the Personalization CSP to lock screen and desktop background images, prevent users from changing the image, and use the settings in a provisioning package. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index 2492302fed..eef4903c8c 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,6 +1,6 @@ --- title: Personalization DDF file -description: Personalization DDF file +description: Learn how to set the OMA DM device description framework (DDF) for the **Personalization** configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policies-admx-backed.md b/windows/client-management/mdm/policies-admx-backed.md deleted file mode 100644 index 6e6b86877e..0000000000 --- a/windows/client-management/mdm/policies-admx-backed.md +++ /dev/null @@ -1,420 +0,0 @@ ---- -title: ADMX-backed policies -description: ADMX-backed policies -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 07/18/2019 ---- - -# ADMX-backed policies - -> [!div class="op_single_selector"] -> -> - [Policies supported by Group Policy](policies-supported-by-group-policy.md) -> - [ADMX-backed policies](policies-admx-backed.md) -> - -- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) -- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) -- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) -- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) -- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) -- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) -- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) -- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) -- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) -- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) -- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) -- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) -- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) -- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) -- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) -- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) -- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) -- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) -- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) -- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) -- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) -- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) -- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) -- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) -- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) -- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) -- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) -- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) -- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) -- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) -- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) -- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) -- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) -- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) -- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) -- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) -- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) -- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) -- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) -- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) -- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) -- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) -- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) -- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) -- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) -- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) -- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) -- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) -- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) -- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) -- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) -- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) -- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) -- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) -- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) -- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) -- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) -- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) -- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) -- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) -- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) -- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) -- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) -- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) -- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) -- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) -- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) -- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) -- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) -- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) -- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) -- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) -- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) -- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) -- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) -- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) -- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) -- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) -- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) -- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) -- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) -- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) -- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) -- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) -- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) -- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) -- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) -- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) -- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) -- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) -- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) -- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) -- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) -- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) -- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) -- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) -- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) -- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) -- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) -- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) -- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) -- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) -- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) -- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) -- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) -- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) -- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) -- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) -- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) -- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) -- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) -- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) -- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) -- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) -- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) -- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) -- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) -- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) -- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) -- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) -- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) -- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) -- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) -- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) -- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) -- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) -- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) -- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) -- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) -- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) -- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) -- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) -- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) -- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) -- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) -- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) -- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) -- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) -- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) -- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) -- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) -- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) -- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) -- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) -- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) -- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) -- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) -- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) -- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) -- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) -- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) -- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) -- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) -- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) -- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) -- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) -- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) -- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) -- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) -- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) -- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) -- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) -- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) -- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) -- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) -- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) -- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) -- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) -- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) -- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) -- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) -- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) -- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) -- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) -- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) -- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) -- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) -- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) -- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) -- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) -- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) -- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) -- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) -- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) -- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) -- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) -- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) -- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) -- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) -- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) -- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) -- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) -- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) -- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) -- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) -- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) -- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) -- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) -- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) -- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) -- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) -- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) -- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) -- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) -- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) -- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) -- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) -- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) -- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) -- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) -- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) -- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) -- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) -- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) -- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) -- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) -- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) -- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) -- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) -- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) -- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) -- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) -- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) -- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) -- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) -- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) -- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) -- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) -- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) -- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) -- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) -- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) -- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) -- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) -- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) -- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) -- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) -- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) -- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) -- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) -- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) -- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) -- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) -- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) - -## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-supported-by-group-policy.md b/windows/client-management/mdm/policies-supported-by-group-policy.md deleted file mode 100644 index 97ea0d7de0..0000000000 --- a/windows/client-management/mdm/policies-supported-by-group-policy.md +++ /dev/null @@ -1,911 +0,0 @@ ---- -title: Policies supported by Group Policy -description: Policies supported by Group Policy -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 07/18/2019 ---- - -# Policies supported by Group Policy - -> [!div class="op_single_selector"] -> -> - [Policies supported by Group Policy](policies-supported-by-group-policy.md) -> - [ADMX-backed policies](policies-admx-backed.md) -> - -- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock) -- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) -- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) -- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) -- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) -- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) -- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) -- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) -- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) -- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) -- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) -- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) -- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) -- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) -- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) -- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) -- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) -- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) -- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) -- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) -- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) -- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) -- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) -- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) -- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) -- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) -- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) -- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) -- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) -- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) -- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration) -- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers) -- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr) -- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata) -- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps) -- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall) -- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges) -- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly) -- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume) -- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume) -- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) -- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) -- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) -- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice) -- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) -- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) -- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) -- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime) -- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime) -- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate) -- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority) -- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority) -- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout) -- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown) -- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions) -- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash) -- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun) -- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode) -- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate) -- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch) -- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting) -- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory) -- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization) -- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions) -- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen) -- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading) -- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage) -- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary) -- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines) -- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar) -- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton) -- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode) -- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout) -- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith) -- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics) -- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages) -- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry) -- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist) -- [Browser/HomePages](./policy-csp-browser.md#browser-homepages) -- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites) -- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge) -- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides) -- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage) -- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc) -- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites) -- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer) -- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine) -- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl) -- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl) -- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer) -- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge) -- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton) -- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks) -- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera) -- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata) -- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps) -- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps) -- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps) -- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming) -- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking) -- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests) -- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) -- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) -- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) -- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) -- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) -- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection) -- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles) -- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess) -- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions) -- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules) -- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor) -- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan) -- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel) -- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout) -- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications) -- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders) -- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware) -- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan) -- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan) -- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess) -- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority) -- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection) -- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions) -- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths) -- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses) -- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection) -- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday) -- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime) -- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder) -- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources) -- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction) - [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) -- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) -- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) -- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) -- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) -- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) -- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) -- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch) -- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) -- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) -- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) -- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) -- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) -- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps) -- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi) -- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps) -- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps) -- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps) -- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy) -- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters) -- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) -- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) -- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) -- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) -- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) -- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) -- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) -- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) -- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory) -- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana) -- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice) -- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata) -- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight) -- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures) -- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight) -- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter) -- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings) -- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience) -- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) -- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) -- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) -- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting) -- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) -- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) -- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) -- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) -- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) -- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) -- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) -- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) -- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) -- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) -- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) -- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) -- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) -- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) -- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) -- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) -- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) -- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) -- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) -- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) -- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) -- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) -- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) -- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) -- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) -- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) -- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) -- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) -- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) -- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) -- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) -- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) -- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) -- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) -- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) -- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) -- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) -- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) -- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) -- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) -- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) -- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) -- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) -- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) -- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) -- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) -- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) -- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) -- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) -- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) -- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) -- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) -- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) -- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) -- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) -- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) -- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) -- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) -- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) -- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) -- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) -- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) -- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) -- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) -- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) -- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) -- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) -- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) -- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) -- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) -- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) -- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) -- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) -- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) -- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) -- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) -- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) -- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) -- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) -- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) -- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) -- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) -- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) -- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) -- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) -- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) -- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) -- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) -- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) -- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) -- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) -- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) -- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) -- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) -- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) -- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) -- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) -- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) -- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) -- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) -- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) -- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) -- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) -- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) -- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) -- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) -- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) -- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) -- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) -- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) -- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) -- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) -- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) -- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) -- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) -- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) -- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) -- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) -- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) -- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) -- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) -- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) -- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) -- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) -- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) -- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) -- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) -- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) -- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) -- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) -- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) -- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) -- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) -- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) -- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) -- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) -- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) -- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) -- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) -- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) -- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) -- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) -- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons) -- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation) -- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation) -- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts) -- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly) -- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount) -- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount) -- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon) -- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) -- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) -- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible) -- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon) -- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees) -- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts) -- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares) -- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares) -- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam) -- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests) -- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange) -- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel) -- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers) -- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) -- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile) -- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators) -- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) -- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated) -- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations) -- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode) -- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode) -- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations) -- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe) -- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) -- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) -- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) -- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) -- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) -- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) -- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) -- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) -- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) -- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate) -- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync) -- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources) -- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange) -- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative) -- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers) -- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers) -- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative) -- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources) -- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification) -- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring) -- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification) -- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) -- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) -- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) -- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) -- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) -- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) -- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) -- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) -- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) -- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) -- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) -- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) -- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) -- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) -- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) -- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) -- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) -- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard) -- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid) -- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) -- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed) -- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo) -- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) -- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) -- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) -- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar) -- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps) -- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps) -- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps) -- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory) -- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps) -- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps) -- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps) -- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera) -- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) -- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) -- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) -- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts) -- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps) -- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps) -- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps) -- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail) -- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps) -- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps) -- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps) -- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation) -- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps) -- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps) -- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps) -- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging) -- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps) -- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps) -- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps) -- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone) -- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) -- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) -- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) -- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion) -- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps) -- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps) -- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps) -- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications) -- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps) -- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps) -- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps) -- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone) -- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps) -- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps) -- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps) -- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios) -- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps) -- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps) -- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps) -- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks) -- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps) -- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps) -- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps) -- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices) -- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps) -- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps) -- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps) -- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices) -- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps) -- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps) -- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps) -- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities) -- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities) -- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) -- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) -- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) -- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) -- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) -- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) -- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) -- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) -- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) -- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) -- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) -- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) -- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) -- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) -- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) -- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) -- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) -- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) -- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) -- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) -- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) -- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) -- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) -- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) -- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) -- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) -- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) -- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) -- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) -- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) -- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) -- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) -- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) -- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) -- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch) -- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad) -- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles) -- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems) -- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation) -- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics) -- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection) -- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff) -- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing) -- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults) -- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) -- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) -- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) -- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) -- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) -- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) -- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) -- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol) -- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell) -- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell) -- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate) -- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus) -- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar) -- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps) -- [Start/StartLayout](./policy-csp-start.md#start-startlayout) -- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) -- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) -- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) -- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline) -- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata) -- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) -- [System/AllowLocation](./policy-csp-system.md#system-allowlocation) -- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) -- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) -- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint) -- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification) -- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux) -- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete) -- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer) -- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) -- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) -- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) -- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics) -- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy) -- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory) -- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode) -- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode) -- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode) -- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode) -- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode) -- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode) -- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) -- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection) -- [Troubleshooting/AllowRecommendations](./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations) -- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) -- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) -- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) -- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate) -- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork) -- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice) -- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice) -- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays) -- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates) -- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) -- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup) -- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) -- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates) -- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates) -- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod) -- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot) -- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays) -- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod) -- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod) -- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency) -- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan) -- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline) -- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates) -- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule) -- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates) -- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule) -- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates) -- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate) -- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls) -- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds) -- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals) -- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates) -- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime) -- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates) -- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime) -- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade) -- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning) -- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek) -- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek) -- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek) -- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek) -- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek) -- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime) -- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable) -- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess) -- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess) -- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart) -- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel) -- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate) -- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller) -- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork) -- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem) -- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon) -- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories) -- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime) -- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects) -- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile) -- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects) -- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks) -- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken) -- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms) -- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork) -- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon) -- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon) -- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation) -- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits) -- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient) -- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority) -- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers) -- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory) -- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog) -- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume) -- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment) -- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel) -- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess) -- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown) -- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories) -- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership) -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing) -- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname) -- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui) -- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui) -- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton) -- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui) -- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications) -- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui) -- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui) -- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui) -- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications) -- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning) -- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui) -- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride) -- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email) -- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts) -- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization) -- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery) -- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot) -- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting) -- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol) -- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone) -- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) -- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) -- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) -- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) -- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) -- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) -- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) -- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) -- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) -- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) -- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) -## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-commercial-suite.md deleted file mode 100644 index 7e2622844c..0000000000 --- a/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-commercial-suite.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -title: Policies supported by HoloLens (1st gen) Commercial Suite -description: Policies supported by HoloLens (1st gen) Commercial Suite -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 09/17/2019 ---- - -# Policies supported by HoloLens (1st gen) Commercial Suite - -> [!div class="op_single_selector"] -> -> - [HoloLens 2](policies-supported-by-hololens2.md) -> - [HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md) -> - [HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md) -> -- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) -- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) -- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) -- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) -- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) -- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) -- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) -- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [System/AllowLocation](policy-csp-system.md#system-allowlocation) -- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) -- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) -- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) - -## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-development-edition.md deleted file mode 100644 index 4aefceaece..0000000000 --- a/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-development-edition.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Policies supported by HoloLens (1st gen) Development Edition -description: Policies supported by HoloLens (1st gen) Development Edition -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 07/18/2019 ---- - -# Policies supported by HoloLens (1st gen) Development Edition - -> [!div class="op_single_selector"] -> -> - [HoloLens 2](policies-supported-by-hololens2.md) -> - [HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md) -> - [HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md) -> - -- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) -- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) -- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) -- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) -- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) -- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [System/AllowLocation](policy-csp-system.md#system-allowlocation) -- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) -- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) -- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) -- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) - -## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-supported-by-hololens2.md b/windows/client-management/mdm/policies-supported-by-hololens2.md deleted file mode 100644 index 4fa3a7f423..0000000000 --- a/windows/client-management/mdm/policies-supported-by-hololens2.md +++ /dev/null @@ -1,87 +0,0 @@ ---- -title: Policies supported by HoloLens 2 -description: Policies supported by HoloLens 2 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 07/18/2019 ---- - -# Policies supported by HoloLens 2 - -> [!div class="op_single_selector"] -> -> - [HoloLens 2](policies-supported-by-hololens2.md) -> - [HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md) -> - [HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md) -> -- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) -- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) -- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) -- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) -- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) -- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) -- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) -- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) -- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps) -- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera) -- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation) -- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone) -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) -- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) -- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) -- [System/AllowLocation](policy-csp-system.md#system-allowlocation) -- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) -- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) -- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) -- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays) -- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds) -- [Update/PauseFeatureUpdates](policy-csp-update.md#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates) -- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) - -## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-supported-by-iot-core.md b/windows/client-management/mdm/policies-supported-by-iot-core.md deleted file mode 100644 index 8e2efa62c5..0000000000 --- a/windows/client-management/mdm/policies-supported-by-iot-core.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: Policies supported by Windows 10 IoT Core -description: Policies supported by Windows 10 IoT Core -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 09/16/2019 ---- - -# Policies supported by Windows 10 IoT Core - -> [!div class="op_single_selector"] -> -> - [IoT Enterprise](policies-supported-by-iot-enterprise.md) -> - [IoT Core](policies-supported-by-iot-core.md) -> - -- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) -- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) -- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) -- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) -- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) -- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) -- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) -- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) -- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) -- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) -- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) -- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) -- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) -- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) -- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) -- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode) - -## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-supported-by-iot-enterprise.md b/windows/client-management/mdm/policies-supported-by-iot-enterprise.md deleted file mode 100644 index 4602e64513..0000000000 --- a/windows/client-management/mdm/policies-supported-by-iot-enterprise.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Policies supported by Windows 10 IoT Enterprise -description: Policies supported by Windows 10 IoT Enterprise -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 07/18/2019 ---- - -# Policies supported by Windows 10 IoT Enterprise - -> [!div class="op_single_selector"] -> -> - [IoT Enterprise](policies-supported-by-iot-enterprise.md) -> - [IoT Core](policies-supported-by-iot-core.md) -> - -- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) -- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) -- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) -- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) -- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) -- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) -- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) -- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) -- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) -- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) -- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) -- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) -- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) -- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) -- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) -- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) - -## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policies-supported-by-surface-hub.md b/windows/client-management/mdm/policies-supported-by-surface-hub.md deleted file mode 100644 index 778ff39d58..0000000000 --- a/windows/client-management/mdm/policies-supported-by-surface-hub.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Policies supported by Microsoft Surface Hub -description: Policies supported by Microsoft Surface Hub -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 07/18/2019 ---- - -# Policies supported by Microsoft Surface Hub - -- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) -- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites) -- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection) -- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem) -- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles) -- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning) -- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess) -- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor) -- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware) -- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions) -- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths) -- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses) -- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection) -- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection) -- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday) -- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime) -- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging) -- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess) -- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel) -- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters) -- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#textinput-allowjapaneseivscharacters) -- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph) -- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#textinput-allowjapaneseuserdictionary) -- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc) -- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis) -- [WiFi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting) - -## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6704ebd00c..bd877c1e04 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -15,9 +15,6 @@ ms.date: 07/18/2019 # Policy CSP -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. The Policy configuration service provider has the following sub-categories: @@ -1078,6 +1075,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      DeliveryOptimization/DOCacheHost
      +
      + DeliveryOptimization/DOCacheHostSource +
      DeliveryOptimization/DODelayBackgroundDownloadFromHttp
      @@ -1098,6 +1098,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      DeliveryOptimization/DOGroupIdSource +
      +
      + DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
      DeliveryOptimization/DOMaxCacheAge @@ -1106,10 +1109,13 @@ The following diagram shows the Policy configuration service provider in tree fo DeliveryOptimization/DOMaxCacheSize
      - DeliveryOptimization/DOMaxDownloadBandwidth + DeliveryOptimization/DOMaxDownloadBandwidth (deprecated)
      - DeliveryOptimization/DOMaxUploadBandwidth + DeliveryOptimization/DOMaxForegroundDownloadBandwidth +
      +
      + DeliveryOptimization/DOMaxUploadBandwidth (deprecated)
      DeliveryOptimization/DOMinBackgroundQos @@ -1136,7 +1142,7 @@ The following diagram shows the Policy configuration service provider in tree fo DeliveryOptimization/DOPercentageMaxBackgroundBandwidth
      - DeliveryOptimization/DOPercentageMaxDownloadBandwidth + DeliveryOptimization/DOPercentageMaxDownloadBandwidth (deprecated)
      DeliveryOptimization/DOPercentageMaxForegroundBandwidth @@ -2390,6 +2396,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
      +
      + LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM +
      LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
      @@ -2399,6 +2408,9 @@ The following diagram shows the Policy configuration service provider in tree fo
      LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      +
      + LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients +
      LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
      @@ -3747,6 +3759,10 @@ The following diagram shows the Policy configuration service provider in tree fo
      Update/SetEDURestart
      +
      + Update/TargetReleaseVersion +
      +
      Update/UpdateNotificationLevel
      @@ -4029,24 +4045,24 @@ The following diagram shows the Policy configuration service provider in tree fo -## Policies supported by Group Policy and ADMX-backed policies -- [Policies supported by Group Policy](policies-supported-by-group-policy.md) -- [ADMX-backed policies](policies-admx-backed.md) +## Policy CSPs supported by Group Policy and ADMX-backed policy CSPs +- [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md) +- [ADMX-backed policy CSPs](policy-csps-admx-backed.md) -## Policies supported by HoloLens devices -- [Policies supported by HoloLens 2](policies-supported-by-hololens2.md) -- [Policies supported by HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md) -- [Policies supported by HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md) +## Policy CSPs supported by HoloLens devices +- [Policy CSPs supported by HoloLens 2](policy-csps-supported-by-hololens2.md) +- [Policy CSPs supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +- [Policy CSPs supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) -## Policies supported by Windows 10 IoT -- [Policies supported by Windows 10 IoT Enterprise](policies-supported-by-iot-enterprise.md) -- [Policies supported by Windows 10 IoT Core](policies-supported-by-iot-core.md) +## Policy CSPs supported by Windows 10 IoT +- [Policy CSPs supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) +- [Policy CSPs supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md) -## Policies supported by Microsoft Surface Hub -- [Policies supported by Microsoft Surface Hub](policies-supported-by-surface-hub.md) +## Policy CSPs supported by Microsoft Surface Hub +- [Policy CSPs supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md) -## Policies that can be set using Exchange Active Sync (EAS) -- [Policies that can be set using Exchange Active Sync (EAS)](policies-that-can-be-set-using-eas.md) +## Policy CSPs that can be set using Exchange ActiveSync (EAS) +- [Policy CSPs that can be set using Exchange ActiveSync (EAS)](policy-csps-that-can-be-set-using-eas.md) ## Related topics diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 493575d365..373e94d365 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,6 +1,6 @@ --- title: Policy CSP - AboveLock -description: Policy CSP - AboveLock +description: Learn the various AboveLock Policy CSP for Windows editions of Home, Pro, Business, and more. ms.author: dansimp ms.localizationpriority: medium ms.topic: article diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 98588acfa2..7a981c49d8 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ActiveXControls -description: Policy CSP - ActiveXControls +description: Learn the ins and outs of various Policy CSP - ActiveXControls settings, including SyncML, for Windows 10. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -74,7 +74,7 @@ manager: dansimp -This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. +This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved ActiveX Install sites specified by host URL. If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. @@ -109,6 +109,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 798bbae111..b2bfd70f15 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -14,10 +14,6 @@ manager: dansimp # Policy CSP - ApplicationManagement -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
      @@ -436,15 +432,15 @@ Most restricted value: 0       - + - + - +

      Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.

      ADMX-backed policies in Policy CSPADMX-backed policies in Policy CSP

      Added new policies.

      Businesscheck mark7check mark8
      Enterprisecheck mark7check mark8
      Educationcheck mark7check mark8
      @@ -462,7 +458,7 @@ Most restricted value: 0 -Added in the next major release of Windows 10. +Added in Windows 10, version 2004. Manages non-administrator users' ability to install Windows app packages. @@ -1112,7 +1108,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. -- 7 - Added in the next major release of Windows 10. - +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 7c7efc8c73..c5b211a563 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,6 +1,6 @@ --- title: Policy CSP - AppRuntime -description: Policy CSP - AppRuntime +description: Control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.Policy CSP - AppRuntime. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index b09a07d3b2..bc3456d80d 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,6 +1,6 @@ --- title: Policy CSP - AttachmentManager -description: Policy CSP - AttachmentManager +description: Manage Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 96103d4ca7..378f92cb1b 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -12,10 +12,6 @@ ms.date: 09/27/2019 # Policy CSP - Audit -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
      diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 3ab3d8246b..7e84c5ac84 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Bitlocker -description: Policy CSP - Bitlocker +description: Use the Policy configuration service provider (CSP) - Bitlocker to manage encryption of PCs and devices. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 07a7f51c0f..d4c64c584f 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,6 +1,6 @@ --- title: Policy CSP - BITS -description: Policy CSP - BITS +description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,10 +14,6 @@ manager: dansimp # Policy CSP - BITS -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - - The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate. - BITS/BandwidthThrottlingEndTime diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 40e770a691..74dbe86c25 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Bluetooth -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      @@ -412,19 +409,19 @@ The default value is an empty string. For more information, see [ServicesAllowed Pro - check mark7 + check mark8 Business - check mark7 + check mark8 Enterprise - check mark7 + check mark8 Education - check mark7 + check mark8 @@ -441,8 +438,7 @@ The default value is an empty string. For more information, see [ServicesAllowed -Added in the next major release of Windows 10. -There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. +Added in Windows 10, version 2004. There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. @@ -470,8 +466,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. -- 7 - Added in the next major release of Windows 10. - +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004.
      diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 64a83cf92a..3f68b4b8cb 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Browser -description: Policy CSP - Browser +description: Learn how to set the Policy CSP - Browser settings for Microsoft Edge, version 45 and earlier. ms.topic: article ms.prod: w10 ms.technology: windows @@ -17,11 +17,6 @@ ms.localizationpriority: medium > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -
      - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). - ## Browser policies @@ -4308,6 +4303,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 1cb56dfe89..9c799910b8 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -100,8 +100,8 @@ The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the - \ - \ -For the list MDM-GP mapping list, see [Policies supported by Group Policy -](policies-supported-by-group-policy.md). +For the list MDM-GP mapping list, see [Policy CSPs supported by Group Policy +](policy-csps-supported-by-group-policy.md). The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**. diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index a246711f54..d9cc3f9647 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,6 +1,6 @@ --- title: Policy CSP - CredentialProviders -description: Policy CSP - CredentialProviders +description: Learn the policy CSP for credential provider set up, sign in, PIN requests and so on. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -249,6 +249,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index d691487aa2..2e45c2f251 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -205,7 +205,7 @@ Allows or disallows scanning of archives. ADMX Info: - GP English name: *Scan archive files* - GP name: *Scan_DisableArchiveScanning* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -275,7 +275,7 @@ Allows or disallows Windows Defender Behavior Monitoring functionality. ADMX Info: - GP English name: *Turn on behavior monitoring* - GP name: *RealtimeProtection_DisableBehaviorMonitoring* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -346,7 +346,7 @@ ADMX Info: - GP English name: *Join Microsoft MAPS* - GP name: *SpynetReporting* - GP element: *SpynetReporting* -- GP path: *Windows Components/Windows Defender Antivirus/MAPS* +- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* - GP ADMX file name: *WindowsDefender.admx* @@ -416,7 +416,7 @@ Allows or disallows scanning of email. ADMX Info: - GP English name: *Turn on e-mail scanning* - GP name: *Scan_DisableEmailScanning* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -486,7 +486,7 @@ Allows or disallows a full scan of mapped network drives. ADMX Info: - GP English name: *Run full scan on mapped network drives* - GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -556,7 +556,7 @@ Allows or disallows a full scan of removable drives. During a quick scan, remova ADMX Info: - GP English name: *Scan removable drives* - GP name: *Scan_DisableRemovableDriveScanning* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -626,7 +626,7 @@ Allows or disallows Windows Defender IOAVP Protection functionality. ADMX Info: - GP English name: *Scan all downloaded files and attachments* - GP name: *RealtimeProtection_DisableIOAVProtection* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -758,7 +758,7 @@ Allows or disallows Windows Defender On Access Protection functionality. ADMX Info: - GP English name: *Monitor file and program activity on your computer* - GP name: *RealtimeProtection_DisableOnAccessProtection* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -828,7 +828,7 @@ Allows or disallows Windows Defender Realtime Monitoring functionality. ADMX Info: - GP English name: *Turn off real-time protection* - GP name: *DisableRealtimeMonitoring* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -898,7 +898,7 @@ Allows or disallows a scanning of network files. ADMX Info: - GP English name: *Scan network files* - GP name: *Scan_DisableScanningNetworkFiles* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1030,7 +1030,7 @@ Allows or disallows user access to the Windows Defender UI. If disallowed, all W ADMX Info: - GP English name: *Enable headless UI mode* - GP name: *UX_Configuration_UILockdown* -- GP path: *Windows Components/Windows Defender Antivirus/Client Interface* +- GP path: *Windows Components/Microsoft Defender Antivirus/Client Interface* - GP ADMX file name: *WindowsDefender.admx* @@ -1103,7 +1103,7 @@ ADMX Info: - GP English name: *Exclude files and paths from Attack Surface Reduction Rules* - GP name: *ExploitGuard_ASR_ASROnlyExclusions* - GP element: *ExploitGuard_ASR_ASROnlyExclusions* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* - GP ADMX file name: *WindowsDefender.admx* @@ -1171,7 +1171,7 @@ ADMX Info: - GP English name: *Configure Attack Surface Reduction rules* - GP name: *ExploitGuard_ASR_Rules* - GP element: *ExploitGuard_ASR_Rules* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* - GP ADMX file name: *WindowsDefender.admx* @@ -1238,7 +1238,7 @@ ADMX Info: - GP English name: *Specify the maximum percentage of CPU utilization during a scan* - GP name: *Scan_AvgCPULoadFactor* - GP element: *Scan_AvgCPULoadFactor* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1315,7 +1315,7 @@ ADMX Info: - GP English name: *Check for the latest virus and spyware definitions before running a scheduled scan* - GP name: *CheckForSignaturesBeforeRunningScan* - GP element: *CheckForSignaturesBeforeRunningScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1380,11 +1380,11 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. +Added in Windows 10, version 1709. This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. -If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. +If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. -For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. +For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site. > [!NOTE] > This feature requires the "Join Microsoft MAPS" setting enabled in order to function. @@ -1395,7 +1395,7 @@ ADMX Info: - GP English name: *Select cloud protection level* - GP name: *MpEngine_MpCloudBlockLevel* - GP element: *MpCloudBlockLevel* -- GP path: *Windows Components/Windows Defender Antivirus/MpEngine* +- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* - GP ADMX file name: *WindowsDefender.admx* @@ -1459,7 +1459,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. +Added in Windows 10, version 1709. This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. @@ -1474,7 +1474,7 @@ ADMX Info: - GP English name: *Configure extended cloud check* - GP name: *MpEngine_MpBafsExtendedTimeout* - GP element: *MpBafsExtendedTimeout* -- GP path: *Windows Components/Windows Defender Antivirus/MpEngine* +- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* - GP ADMX file name: *WindowsDefender.admx* @@ -1529,7 +1529,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. -Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. @@ -1537,7 +1537,7 @@ ADMX Info: - GP English name: *Configure allowed applications* - GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* - GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* - GP ADMX file name: *WindowsDefender.admx* @@ -1600,7 +1600,7 @@ ADMX Info: - GP English name: *Configure protected folders* - GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* - GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* - GP ADMX file name: *WindowsDefender.admx* @@ -1667,7 +1667,7 @@ ADMX Info: - GP English name: *Configure removal of items from Quarantine folder* - GP name: *Quarantine_PurgeItemsAfterDelay* - GP element: *Quarantine_PurgeItemsAfterDelay* -- GP path: *Windows Components/Windows Defender Antivirus/Quarantine* +- GP path: *Windows Components/Microsoft Defender Antivirus/Quarantine* - GP ADMX file name: *WindowsDefender.admx* @@ -1742,7 +1742,7 @@ ADMX Info: - GP English name: *Turn on catch-up full scan* - GP name: *Scan_DisableCatchupFullScan* - GP element: *Scan_DisableCatchupFullScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1822,7 +1822,7 @@ ADMX Info: - GP English name: *Turn on catch-up quick scan* - GP name: *Scan_DisableCatchupQuickScan* - GP element: *Scan_DisableCatchupQuickScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1894,7 +1894,7 @@ ADMX Info: - GP English name: *Configure Controlled folder access* - GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* - GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* - GP ADMX file name: *WindowsDefender.admx* @@ -1971,7 +1971,7 @@ ADMX Info: - GP English name: *Configure low CPU priority for scheduled scans* - GP name: *Scan_LowCpuPriority* - GP element: *Scan_LowCpuPriority* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2049,7 +2049,7 @@ ADMX Info: - GP English name: *Prevent users and apps from accessing dangerous websites* - GP name: *ExploitGuard_EnableNetworkProtection* - GP element: *ExploitGuard_EnableNetworkProtection* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Network Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Network Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -2121,7 +2121,7 @@ ADMX Info: - GP English name: *Path Exclusions* - GP name: *Exclusions_Paths* - GP element: *Exclusions_PathsList* -- GP path: *Windows Components/Windows Defender Antivirus/Exclusions* +- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* - GP ADMX file name: *WindowsDefender.admx* @@ -2185,7 +2185,7 @@ ADMX Info: - GP English name: *Extension Exclusions* - GP name: *Exclusions_Extensions* - GP element: *Exclusions_ExtensionsList* -- GP path: *Windows Components/Windows Defender Antivirus/Exclusions* +- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* - GP ADMX file name: *WindowsDefender.admx* @@ -2255,7 +2255,7 @@ ADMX Info: - GP English name: *Process Exclusions* - GP name: *Exclusions_Processes* - GP element: *Exclusions_ProcessesList* -- GP path: *Windows Components/Windows Defender Antivirus/Exclusions* +- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* - GP ADMX file name: *WindowsDefender.admx* @@ -2385,7 +2385,7 @@ ADMX Info: - GP English name: *Configure monitoring for incoming and outgoing file and program activity* - GP name: *RealtimeProtection_RealtimeScanDirection* - GP element: *RealtimeProtection_RealtimeScanDirection* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -2457,7 +2457,7 @@ ADMX Info: - GP English name: *Specify the scan type to use for a scheduled scan* - GP name: *Scan_ScanParameters* - GP element: *Scan_ScanParameters* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2537,7 +2537,7 @@ ADMX Info: - GP English name: *Specify the time for a daily quick scan* - GP name: *Scan_ScheduleQuickScantime* - GP element: *Scan_ScheduleQuickScantime* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2608,7 +2608,7 @@ ADMX Info: - GP English name: *Specify the day of the week to run a scheduled scan* - GP name: *Scan_ScheduleDay* - GP element: *Scan_ScheduleDay* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2695,7 +2695,7 @@ ADMX Info: - GP English name: *Specify the time of day to run a scheduled scan* - GP name: *Scan_ScheduleTime* - GP element: *Scan_ScheduleTime* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2774,7 +2774,7 @@ ADMX Info: - GP English name: *Define the order of sources for downloading definition updates* - GP name: *SignatureUpdate_FallbackOrder* - GP element: *SignatureUpdate_FallbackOrder* -- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* - GP ADMX file name: *WindowsDefender.admx* @@ -2853,7 +2853,7 @@ ADMX Info: - GP English name: *Define file shares for downloading definition updates* - GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* - GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources* -- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* - GP ADMX file name: *WindowsDefender.admx* @@ -2933,7 +2933,7 @@ ADMX Info: - GP English name: *Specify the interval to check for definition updates* - GP name: *SignatureUpdate_SignatureUpdateInterval* - GP element: *SignatureUpdate_SignatureUpdateInterval* -- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* - GP ADMX file name: *WindowsDefender.admx* @@ -3001,7 +3001,7 @@ ADMX Info: - GP English name: *Send file samples when further analysis is required* - GP name: *SubmitSamplesConsent* - GP element: *SubmitSamplesConsent* -- GP path: *Windows Components/Windows Defender Antivirus/MAPS* +- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* - GP ADMX file name: *WindowsDefender.admx* @@ -3092,7 +3092,7 @@ ADMX Info: - GP English name: *Specify threat alert levels at which default action should not be taken when detected* - GP name: *Threats_ThreatSeverityDefaultAction* - GP element: *Threats_ThreatSeverityDefaultActionList* -- GP path: *Windows Components/Windows Defender Antivirus/Threats* +- GP path: *Windows Components/Microsoft Defender Antivirus/Threats* - GP ADMX file name: *WindowsDefender.admx* diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 8a8184ba9a..902ef8e8be 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 06/09/2020 ms.reviewer: manager: dansimp --- @@ -31,6 +31,9 @@ manager: dansimp
      DeliveryOptimization/DOCacheHost
      +
      + DeliveryOptimization/DOCacheHostSource +
      DeliveryOptimization/DODelayBackgroundDownloadFromHttp
      @@ -52,6 +55,9 @@ manager: dansimp
      DeliveryOptimization/DOGroupIdSource
      +
      + DeliveryOptimization/DOMaxBackgroundDownloadBandwidth +
      DeliveryOptimization/DOMaxCacheAge
      @@ -61,6 +67,9 @@ manager: dansimp
      DeliveryOptimization/DOMaxDownloadBandwidth
      +
      + DeliveryOptimization/DOMaxForegroundDownloadBandwidth +
      DeliveryOptimization/DOMaxUploadBandwidth
      @@ -289,12 +298,15 @@ The following list shows the supported values: -[Reserved for future use] + +This policy allows you to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization. + +One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. ADMX Info: -- GP English name: *[Reserved for future use] Cache Server Hostname* +- GP English name: *Cache Server Hostname* - GP name: *CacheHost* - GP element: *CacheHost* - GP path: *Windows Components/Delivery Optimization* @@ -314,6 +326,86 @@ ADMX Info:
      + +**DeliveryOptimization/DOCacheHostSource** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Windows EditionSupported?
      Homecross mark
      Procheck mark8
      Businesscheck mark8
      Enterprisecheck mark8
      Educationcheck mark8
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + + +This policy allows you to to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. + + + +ADMX Info: +- GP English name: *Cache Server Hostname Source* +- GP name: *CacheHostSource* +- GP element: *CacheHostSource* +- GP path: *Windows Components/Delivery Optimization* +- GP ADMX file name: *DeliveryOptimization.admx* + + + +The following are the supported values: +- 1 = DHCP Option ID. +- 2 = DHCP Option ID Force. + +When DHCP Option ID (1) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value. This policy will be overridden when the [Cache Server Hostname](#deliveryoptimization-docachehost) policy has been set. + +When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value, and will override the Cache Server Hostname policy if it has been set. + +> [!Note] +> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#deliveryoptimization-docachehost) policy value if that value has been set. + + + + + + + + + + +
      + **DeliveryOptimization/DODelayBackgroundDownloadFromHttp** @@ -816,6 +908,68 @@ The following list shows the supported values:
      + +**DeliveryOptimization/DOMaxBackgroundDownloadBandwidth** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Windows EditionSupported?
      Homecross mark
      Procheck mark8
      Businesscheck mark8
      Enterprisecheck mark8
      Educationcheck mark8
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. + +The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. + + + +ADMX Info: +- GP English name: *Maximum Background Download Bandwidth (in KB/s)* +- GP name: *MaxBackgroundDownloadBandwidth* +- GP element: *MaxBackgroundDownloadBandwidth* +- GP path: *Windows Components/Delivery Optimization* +- GP ADMX file name: *DeliveryOptimization.admx* + + + + +
      + **DeliveryOptimization/DOMaxCacheAge** @@ -952,70 +1106,27 @@ ADMX Info: **DeliveryOptimization/DOMaxDownloadBandwidth** - - - - - - - - - - - - - - - - - - - - - - - - - -
      Windows EditionSupported?
      Homecross mark
      Procheck mark1
      Businesscheck mark1
      Enterprisecheck mark1
      Educationcheck mark1
      +
      -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -
      -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. - - -Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. +This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptimization-domaxforegrounddownloadbandwidth) and [DOMaxBackgroundDownloadBandwidth](#deliveryoptimization-domaxbackgrounddownloadbandwidth) policies instead. -ADMX Info: -- GP English name: *Maximum Download Bandwidth (in KB/s)* -- GP name: *MaxDownloadBandwidth* -- GP element: *MaxDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* -
      -**DeliveryOptimization/DOMaxUploadBandwidth** +**DeliveryOptimization/DOMaxForegroundDownloadBandwidth** @@ -1029,19 +1140,19 @@ ADMX Info: - + - + - + - +
      Procheck markcheck mark8
      Businesscheck markcheck mark8
      Enterprisecheck markcheck mark8
      Educationcheck markcheck mark8
      @@ -1058,20 +1169,16 @@ ADMX Info: -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. +This policy specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. - -Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization. - -The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth). +The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. ADMX Info: -- GP English name: *Max Upload Bandwidth (in KB/s)* -- GP name: *MaxUploadBandwidth* -- GP element: *MaxUploadBandwidth* +- GP English name: *Maximum Foreground Download Bandwidth (in KB/s)* +- GP name: *MaxForegroundDownloadBandwidth* +- GP element: *MaxForegroundDownloadBandwidth* - GP path: *Windows Components/Delivery Optimization* - GP ADMX file name: *DeliveryOptimization.admx* @@ -1080,6 +1187,25 @@ ADMX Info:
      + +**DeliveryOptimization/DOMaxUploadBandwidth** + + + + + + + + +This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which is not used in commercial deployments. There is no alternate policy to use. + + + + + + +
      + **DeliveryOptimization/DOMinBackgroundQos** @@ -1901,12 +2027,14 @@ This policy allows an IT Admin to define the following: Footnotes: -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in Windows 10, version 1903. +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index f34ee27dd5..00ab26dd22 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - DeviceGuard -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 4ced8ce8ab..f1c54d540a 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -14,9 +14,6 @@ ms.localizationpriority: medium # Policy CSP - DeviceInstallation -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 08eaddf872..c1e5dd8c30 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - DmaGuard -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      @@ -76,7 +73,7 @@ manager: dansimp -This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. +This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing. Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 825ac41a15..df04232bea 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Education -description: Policy CSP - Education +description: Control graphing functionality in the Windows Calculator app. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Education -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      @@ -52,23 +49,23 @@ manager: dansimp Home - check mark + check mark8 Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -85,7 +82,7 @@ manager: dansimp -Added in next major release of Windows 10. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. +Added in Windows 10, version 2004. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. ADMX Info: @@ -283,6 +280,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 644621a01e..8eb0028b4a 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Experience -description: Policy CSP - Experience +description: Learn the various Experience policy CSP for Cortana, Sync, Spotlight and more. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 200fde9087..f61798a6d7 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Kerberos -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 9263511ddf..6f8eb9a799 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -102,6 +102,9 @@ manager: dansimp
      LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
      +
      + LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM +
      LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
      @@ -111,6 +114,9 @@ manager: dansimp
      LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      +
      + LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients +
      LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
      @@ -2166,6 +2172,73 @@ GP Info:
      + +**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Windows EditionSupported?
      Homecross mark
      Procheck mark3
      Businesscheck mark3
      Enterprisecheck mark3
      Educationcheck mark3
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Network security: Allow Local System to use computer identity for NTLM. + +When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. + +When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.) + + + +GP Info: +- GP English name: *Network security: Allow Local System to use computer identity for NTLM* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + +Valid values: +- 0 - Disabled +- 1 - Enabled (Allow Local System to use computer identity for NTLM.) + + + + +
      + **LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** @@ -2385,6 +2458,74 @@ GP Info:
      + +**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Windows EditionSupported?
      Homecross mark
      Procheck mark4
      Businesscheck mark4
      Enterprisecheck mark4
      Educationcheck mark4
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Network security: Minimum session security for NTLM SSP based (including secure RPC) clients. + +This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: + +- Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. +- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. + +Default: + +Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. + +Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. + + + +GP Info: +- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + +
      + **LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers** diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index aefb521407..b96fcd749d 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Messaging -description: Policy CSP - Messaging +description: Enable, and disable, text message back up and restore as well as Messaging Everywhere by using the Policy CSP for messaging. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index 598cad17d2..f896724225 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -1,6 +1,6 @@ --- title: Policy CSP - MSSecurityGuide -description: Policy CSP - MSSecurityGuide +description: See how this ADMX-backed policy requires a special SyncML format to enable or disable. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 3d7afccb49..601cfb8378 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -228,7 +228,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff -Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. +Integer value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. @@ -468,7 +468,7 @@ ADMX Info: -Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. +Integer value that tells the client to accept the configured list of proxies and not try to detect other work proxies. diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 8433af94b3..2d4e4b33d0 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Notifications -description: Policy CSP - Notifications +description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index e5adaec521..f0f51bdb9f 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Power -description: Policy CSP - Power +description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 959f35a071..1707ca7bfc 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 03/24/2020 - +ms.date: 04/07/2020 ms.reviewer: manager: dansimp --- @@ -16,7 +15,6 @@ manager: dansimp # Policy CSP - RestrictedGroups -
      @@ -86,7 +84,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > |----------|----------|----------|----------| > | 0x55b (Hex)
      1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | -Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. +Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group and should be used with caution. ```xml @@ -145,13 +143,27 @@ Here's an example: ``` where: - `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. -- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. -The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. For best results, use SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - In this example, `Group1` and `Group2` are local groups on the device being configured. +> [!Note] +> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a local group as a member to another local group by using the member portion, as shown in the above example. +### Policy timeline + +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in this topic. + +The following table describes how this policy setting behaves in different Windows 10 versions: + +| Windows 10 version | Policy behavior | +| ------------------ | --------------- | +|Windows 10, version 1803 | Added this policy setting.
      XML accepts group and member only by name.
      Supports configuring the administrators group using the group name.
      Expects member name to be in the account name format. | +| Windows 10, version 1809
      Windows 10, version 1903
      Windows 10, version 1909 | Supports configuring any local group.
      `` accepts only name.
      `` accepts a name or an SID.
      This is useful when you want to ensure a certain local group always has a well-known SID as member. | +| Windows 10, version 2004 | Behaves as described in this topic.
      Accepts name or SID for group and members and translates as appropriate. | + +
      @@ -164,5 +176,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 0a4dcd146d..46499d7701 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Security -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index a55e6716ff..17a91ff2d8 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Start -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      @@ -1025,6 +1022,7 @@ To validate on Desktop, do the following: [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] +> * User > * Device
      diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 7cb986c7fd..a221c321b1 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,6 +1,6 @@ --- title: Policy CSP - System -description: Policy CSP - System +description: Learn policy settings that determines whether users can access the Insider build controls in the advanced options for Windows Update. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 8a69418c47..7d502e9af7 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - TaskManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 7786a5eb5c..79e47c91f8 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -16,10 +16,6 @@ manager: dansimp -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
      @@ -815,19 +811,19 @@ This setting supports a range of values between 0 and 1. Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -848,7 +844,7 @@ This setting supports a range of values between 0 and 1. > - The policy is only enforced in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in next major release of Windows 10. Allows IT admins to configure Microsoft Japanese IME version in the desktop. +Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Japanese IME version in the desktop. @@ -878,19 +874,19 @@ The following list shows the supported values: Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -911,7 +907,7 @@ The following list shows the supported values: > - This policy is enforced only in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in next major release of Windows 10. Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. +Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. @@ -941,19 +937,19 @@ The following list shows the supported values: Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -974,7 +970,7 @@ The following list shows the supported values: > - This policy is enforced only in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in next major release of Windows 10. Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. +Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. @@ -1718,6 +1714,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 52098ee14c..3942b48f24 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 10/04/2019 +ms.date: 02/10/2020 ms.reviewer: manager: dansimp --- @@ -194,6 +194,9 @@ manager: dansimp
      Update/SetEDURestart
      +
      + Update/TargetReleaseVersion +
      Update/UpdateNotificationLevel
      @@ -4130,6 +4133,74 @@ The following list shows the supported values:
      + +**Update/TargetReleaseVersion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Windows EditionSupported?
      Homecross mark
      Procheck mark4
      Businesscheck mark4
      Enterprisecheck mark4
      Educationcheck mark4
      + + +
      + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/). + + +ADMX Info: +- GP English name: *Select the target Feature Update version* +- GP name: *TargetReleaseVersion* +- GP element: *TargetReleaseVersionId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Value type is a string containing Windows 10 version number. For example, 1809, 1903. + + + + + + + + + +
      + **Update/UpdateNotificationLevel** @@ -4371,11 +4442,13 @@ ADMX Info: Footnotes: -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in Windows 10, version 1903. +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index c485382b9e..ef56c8dd9a 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -53,17 +53,17 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s - Grant an user right to multiple groups (Administrators, Authenticated Users) via SID ``` - *S-1-5-32-544*S-1-5-11 + *S-1-5-32-544*S-1-5-11 ``` - Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings ``` - *S-1-5-32-544Authenticated Users + *S-1-5-32-544Authenticated Users ``` - Grant an user right to multiple groups (Authenticated Users, Administrators) via strings ``` - Authenticated UsersAdministrators + Authenticated UsersAdministrators ``` - Empty input indicates that there are no users configured to have that user right @@ -1260,6 +1260,11 @@ GP Info: - GP English name: *Increase scheduling priority* - GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* +> [!Warning] +> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. +> +> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. + diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 4db39b31f2..86ea14fd52 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - WindowsDefenderSecurityCenter -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
      diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md new file mode 100644 index 0000000000..f79f85154e --- /dev/null +++ b/windows/client-management/mdm/policy-csps-admx-backed.md @@ -0,0 +1,421 @@ +--- +title: ADMX-backed policy CSPs +description: ADMX-backed policy CSPs +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# ADMX-backed policy CSPs + +> [!div class="op_single_selector"] +> +> - [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md) +> - [ADMX-backed policy-CSPs](policy-csps-admx-backed.md) +> + +- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) +- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) +- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) +- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) +- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) +- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) +- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) +- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) +- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) +- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) +- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) +- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) +- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) +- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) +- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) +- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) +- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) +- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) +- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) +- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) +- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) +- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) +- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) +- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) +- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) +- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) +- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) +- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) +- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) +- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) +- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) +- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) +- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) +- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) +- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) +- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) +- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) +- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) +- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) +- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) +- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) +- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) +- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) +- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) +- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) +- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) +- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) +- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) +- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) +- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) +- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) +- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) +- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) +- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) +- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) +- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) +- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) +- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) +- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) +- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) +- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) +- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) +- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) +- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) +- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) +- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) +- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) +- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) +- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) +- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) +- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) +- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) +- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) +- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) +- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) +- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) +- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) +- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) +- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) +- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) +- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) +- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) +- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) +- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) +- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) +- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) +- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) +- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) +- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) +- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) +- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) +- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) +- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) +- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) +- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) +- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) +- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) +- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) +- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) +- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) +- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) +- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) +- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) +- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) +- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) +- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) +- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) +- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) +- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) +- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) +- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) +- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) +- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) +- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) +- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) +- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) +- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) +- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) +- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) +- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) +- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) +- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) +- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) +- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) +- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) +- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) +- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) +- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) +- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) +- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) +- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) +- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) +- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) +- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) +- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) +- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) +- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) +- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) +- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) +- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) +- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) +- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) +- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) +- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) +- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) +- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) +- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) +- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) +- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) +- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) +- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) +- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) +- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) +- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) +- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) +- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) +- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) +- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) +- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) +- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) +- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) +- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) +- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) +- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) +- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) +- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) +- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) +- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) +- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) +- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) +- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) +- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) +- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) +- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) +- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) +- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) +- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) +- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) +- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) +- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) +- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) +- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) +- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) +- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) +- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) +- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) +- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) +- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) +- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) +- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) +- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) +- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) +- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) +- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) +- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) +- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) +- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) +- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) +- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) +- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) +- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) +- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) +- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) +- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) +- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) +- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) +- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) +- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) +- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) +- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) +- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) +- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) +- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) +- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) +- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) +- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) +- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) +- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) +- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) +- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) +- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) +- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) +- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) +- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) +- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) +- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) +- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) +- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) +- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) +- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) +- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) +- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) +- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) +- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) +- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) +- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) +- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) +- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) +- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) +- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) +- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) +- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) +- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) +- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) +- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) +- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) +- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) +- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) +- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) +- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) +- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) +- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md new file mode 100644 index 0000000000..328dfe2238 --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md @@ -0,0 +1,913 @@ +--- +title: Policy CSPs supported by Group Policy +description: Policy CSPs supported by Group Policy +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# Policy CSPs supported by Group Policy + +> [!div class="op_single_selector"] +> +> - [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md) +> - [ADMX-backed policy CSPs](policy-csps-admx-backed.md) +> + +- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock) +- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) +- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) +- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) +- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) +- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) +- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) +- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) +- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) +- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) +- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) +- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) +- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) +- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) +- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) +- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) +- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) +- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) +- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) +- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) +- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) +- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) +- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) +- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) +- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) +- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) +- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) +- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) +- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) +- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) +- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) +- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration) +- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers) +- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr) +- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata) +- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps) +- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall) +- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges) +- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly) +- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume) +- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume) +- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) +- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) +- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) +- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice) +- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) +- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) +- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) +- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime) +- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime) +- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate) +- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority) +- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority) +- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout) +- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown) +- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill) +- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies) +- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools) +- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack) +- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions) +- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash) +- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun) +- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode) +- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate) +- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist) +- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager) +- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch) +- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting) +- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory) +- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization) +- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions) +- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen) +- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading) +- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage) +- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary) +- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit) +- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines) +- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar) +- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton) +- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode) +- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout) +- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith) +- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics) +- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages) +- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry) +- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist) +- [Browser/HomePages](./policy-csp-browser.md#browser-homepages) +- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites) +- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge) +- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides) +- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage) +- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection) +- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride) +- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles) +- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc) +- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites) +- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer) +- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine) +- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl) +- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl) +- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer) +- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge) +- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton) +- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks) +- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera) +- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata) +- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps) +- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps) +- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps) +- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) +- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming) +- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking) +- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) +- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) +- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) +- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests) +- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) +- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) +- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) +- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) +- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) +- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) +- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) +- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) +- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection) +- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles) +- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess) +- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions) +- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules) +- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor) +- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan) +- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel) +- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout) +- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications) +- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders) +- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware) +- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan) +- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan) +- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess) +- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority) +- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection) +- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions) +- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths) +- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses) +- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection) +- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday) +- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime) +- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder) +- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources) +- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) +- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) +- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) +- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) +- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) +- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) +- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) +- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch) +- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) +- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) +- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) +- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) +- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) +- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps) +- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi) +- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps) +- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps) +- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps) +- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy) +- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters) +- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) +- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) +- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) +- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) +- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) +- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) +- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) +- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) +- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory) +- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana) +- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice) +- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata) +- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight) +- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures) +- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight) +- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter) +- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings) +- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience) +- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) +- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) +- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) +- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting) +- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) +- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) +- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) +- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) +- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) +- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) +- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) +- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) +- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) +- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) +- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) +- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) +- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) +- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) +- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) +- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) +- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) +- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) +- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) +- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) +- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) +- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) +- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) +- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) +- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) +- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) +- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) +- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) +- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) +- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) +- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) +- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) +- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) +- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) +- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) +- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) +- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) +- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) +- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) +- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) +- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) +- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) +- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) +- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) +- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) +- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) +- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) +- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) +- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) +- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) +- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) +- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) +- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) +- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) +- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) +- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) +- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) +- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) +- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) +- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) +- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) +- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) +- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) +- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) +- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) +- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) +- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) +- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) +- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) +- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) +- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) +- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) +- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) +- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) +- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) +- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) +- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) +- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) +- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) +- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) +- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) +- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) +- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) +- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) +- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) +- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) +- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) +- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) +- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) +- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) +- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) +- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) +- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) +- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) +- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) +- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) +- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) +- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) +- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) +- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) +- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) +- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) +- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) +- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) +- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) +- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) +- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) +- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) +- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) +- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) +- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) +- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) +- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) +- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) +- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) +- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) +- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) +- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) +- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) +- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) +- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) +- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) +- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) +- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) +- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) +- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) +- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) +- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) +- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) +- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) +- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) +- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) +- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) +- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) +- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) +- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) +- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) +- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) +- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) +- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) +- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) +- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) +- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) +- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) +- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) +- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons) +- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation) +- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation) +- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts) +- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly) +- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount) +- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount) +- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon) +- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) +- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) +- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) +- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways) +- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible) +- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel) +- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit) +- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon) +- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon) +- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees) +- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts) +- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares) +- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares) +- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam) +- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests) +- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange) +- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel) +- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers) +- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) +- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile) +- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation) +- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators) +- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) +- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation) +- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated) +- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations) +- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode) +- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation) +- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode) +- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations) +- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe) +- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) +- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) +- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) +- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) +- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) +- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) +- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) +- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) +- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) +- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) +- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate) +- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync) +- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources) +- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange) +- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative) +- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers) +- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers) +- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative) +- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources) +- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification) +- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring) +- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification) +- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) +- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) +- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) +- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) +- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) +- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) +- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) +- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) +- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) +- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) +- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) +- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) +- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) +- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) +- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard) +- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid) +- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) +- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed) +- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo) +- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) +- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) +- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) +- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar) +- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps) +- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps) +- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps) +- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory) +- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps) +- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps) +- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps) +- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera) +- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) +- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) +- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) +- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts) +- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps) +- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps) +- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps) +- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail) +- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps) +- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps) +- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps) +- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation) +- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps) +- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps) +- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps) +- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging) +- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps) +- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps) +- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps) +- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone) +- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) +- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) +- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) +- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion) +- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps) +- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps) +- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps) +- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications) +- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps) +- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps) +- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps) +- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone) +- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps) +- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps) +- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps) +- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios) +- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps) +- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps) +- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps) +- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks) +- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps) +- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps) +- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps) +- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices) +- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps) +- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps) +- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps) +- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps) +- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices) +- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps) +- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps) +- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps) +- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities) +- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities) +- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) +- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) +- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) +- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) +- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) +- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) +- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) +- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) +- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) +- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) +- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) +- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) +- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) +- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) +- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) +- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) +- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) +- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) +- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) +- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) +- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) +- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) +- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) +- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) +- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) +- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) +- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) +- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) +- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) +- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) +- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) +- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) +- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) +- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) +- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch) +- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad) +- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles) +- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems) +- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation) +- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics) +- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection) +- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff) +- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing) +- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults) +- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) +- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) +- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) +- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) +- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) +- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) +- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol) +- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell) +- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell) +- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate) +- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus) +- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar) +- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps) +- [Start/StartLayout](./policy-csp-start.md#start-startlayout) +- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) +- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) +- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) +- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline) +- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata) +- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) +- [System/AllowLocation](./policy-csp-system.md#system-allowlocation) +- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) +- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint) +- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification) +- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux) +- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete) +- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer) +- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) +- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) +- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) +- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics) +- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy) +- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory) +- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode) +- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode) +- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode) +- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode) +- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode) +- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode) +- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) +- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection) +- [Troubleshooting/AllowRecommendations](./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations) +- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) +- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) +- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) +- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate) +- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork) +- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice) +- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice) +- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays) +- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates) +- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) +- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) +- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup) +- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) +- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot) +- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays) +- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod) +- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod) +- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency) +- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan) +- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline) +- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates) +- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule) +- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates) +- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule) +- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates) +- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate) +- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls) +- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds) +- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals) +- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates) +- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime) +- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates) +- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime) +- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade) +- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning) +- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning) +- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday) +- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek) +- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek) +- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek) +- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek) +- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek) +- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime) +- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable) +- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess) +- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess) +- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart) +- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel) +- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl) +- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate) +- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller) +- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork) +- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem) +- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon) +- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories) +- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime) +- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects) +- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile) +- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects) +- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks) +- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken) +- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms) +- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork) +- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon) +- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon) +- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation) +- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits) +- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient) +- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority) +- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers) +- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory) +- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog) +- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume) +- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment) +- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel) +- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess) +- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown) +- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories) +- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing) +- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) +- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname) +- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui) +- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui) +- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton) +- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui) +- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications) +- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui) +- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui) +- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui) +- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications) +- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning) +- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui) +- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride) +- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email) +- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts) +- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization) +- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery) +- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot) +- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting) +- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol) +- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone) +- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) +- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) +- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) +- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) +- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) +- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) +- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) +- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) +- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) +- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md new file mode 100644 index 0000000000..f77d3c1308 --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md @@ -0,0 +1,71 @@ +--- +title: Policy CSPs supported by HoloLens (1st gen) Commercial Suite +description: Policy CSPs supported by HoloLens (1st gen) Commercial Suite +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 09/17/2019 +--- + +# Policy CSPs supported by HoloLens (1st gen) Commercial Suite + +> [!div class="op_single_selector"] +> +> - [HoloLens 2](policy-csps-supported-by-hololens2.md) +> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +> + +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) +- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) +- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) +- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) +- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) +- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [System/AllowLocation](policy-csp-system.md#system-allowlocation) +- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) +- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) +- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) +- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md new file mode 100644 index 0000000000..2dec2fdb8b --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md @@ -0,0 +1,69 @@ +--- +title: Policy CSPs supported by HoloLens (1st gen) Development Edition +description: Policy CSPs supported by HoloLens (1st gen) Development Edition +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# Policy CSPs supported by HoloLens (1st gen) Development Edition + +> [!div class="op_single_selector"] +> +> - [HoloLens 2](policy-csps-supported-by-hololens2.md) +> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +> + +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) +- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) +- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) +- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) +- [System/AllowLocation](policy-csp-system.md#system-allowlocation) +- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) +- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) +- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) +- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md new file mode 100644 index 0000000000..0a0040f58c --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md @@ -0,0 +1,111 @@ +--- +title: Policy CSPs supported by HoloLens 2 +description: Policy CSPs supported by HoloLens 2 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 05/11/2020 +--- + +# Policy CSPs supported by HoloLens 2 + +> [!div class="op_single_selector"] +> +> - [HoloLens 2](policy-csps-supported-by-hololens2.md) +> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +> + +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) +- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) +- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) +- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) +- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) +- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) +- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) +- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) +- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps) +- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#privacy-letappsaccessgazeinput) 8 +- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera) +- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation) +- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone) +- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8 +- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) +- [System/AllowLocation](policy-csp-system.md#system-allowlocation) +- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) +- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) +- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) +- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) +- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays) +- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds) +- [Update/PauseFeatureUpdates](policy-csp-update.md#update-pausefeatureupdates) +- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates) +- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) +- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8 + +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-core.md b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md new file mode 100644 index 0000000000..c43363b357 --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md @@ -0,0 +1,77 @@ +--- +title: Policy CSPs supported by Windows 10 IoT Core +description: Policy CSPs supported by Windows 10 IoT Core +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 09/16/2019 +--- + +# Policy CSPs supported by Windows 10 IoT Core + +> [!div class="op_single_selector"] +> +> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) +> - [IoT Core](policy-csps-supported-by-iot-core.md) +> + +- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) +- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) +- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) +- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) +- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) +- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) +- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) +- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) +- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) +- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) +- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) +- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) +- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md new file mode 100644 index 0000000000..617be22113 --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md @@ -0,0 +1,72 @@ +--- +title: Policy CSPs supported by Windows 10 IoT Enterprise +description: Policy CSPs supported by Windows 10 IoT Enterprise +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# Policy CSPs supported by Windows 10 IoT Enterprise + +> [!div class="op_single_selector"] +> +> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) +> - [IoT Core](policy-csps-supported-by-iot-core.md) +> + +- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) +- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) +- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) +- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) +- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) +- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) +- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) +- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) +- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) +- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) +- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) +- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) +- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md new file mode 100644 index 0000000000..ec48042286 --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md @@ -0,0 +1,79 @@ +--- +title: Policy CSPs supported by Microsoft Surface Hub +description: Policy CSPs supported by Microsoft Surface Hub +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# Policy CSPs supported by Microsoft Surface Hub + +- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) +- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) +- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites) +- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection) +- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem) +- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles) +- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning) +- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess) +- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor) +- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware) +- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions) +- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths) +- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses) +- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection) +- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection) +- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday) +- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime) +- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging) +- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess) +- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel) +- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters) +- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#textinput-allowjapaneseivscharacters) +- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph) +- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#textinput-allowjapaneseuserdictionary) +- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc) +- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis) +- [WiFi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policies-that-can-be-set-using-eas.md b/windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md similarity index 89% rename from windows/client-management/mdm/policies-that-can-be-set-using-eas.md rename to windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md index 3c0303c2c0..171652aa2b 100644 --- a/windows/client-management/mdm/policies-that-can-be-set-using-eas.md +++ b/windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md @@ -1,6 +1,6 @@ --- -title: Policies that can be set using Exchange Active Sync (EAS) -description: Policies that can be set using Exchange Active Sync (EAS) +title: Policy CSPs that can be set using Exchange Active Sync (EAS) +description: Policy CSPs that can be set using Exchange Active Sync (EAS) ms.reviewer: manager: dansimp ms.author: dansimp @@ -12,7 +12,7 @@ ms.localizationpriority: medium ms.date: 07/18/2019 --- -# Policies that can be set using Exchange Active Sync (EAS) +# Policy CSPs that can be set using Exchange Active Sync (EAS) - [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) - [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) @@ -36,4 +36,5 @@ ms.date: 07/18/2019 - [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) ## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 8a9c1a34dc..7a522ee312 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 05/21/2019 +ms.date: 06/03/2020 --- # Policy DDF file @@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can view various Policy DDF files by clicking the following links: +- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) - [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) - [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) - [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) @@ -31,7 +32,7 @@ You can view various Policy DDF files by clicking the following links: You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the DDF for Windows 10, version 1903. +The XML below is the DDF for Windows 10, version 2004. ```xml @@ -57,7 +58,7 @@ The XML below is the DDF for Windows 10, version 1903. - com.microsoft/9.0/MDM/Policy + com.microsoft/10.0/MDM/Policy @@ -1646,7 +1647,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and extension. +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. @@ -1657,11 +1658,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) @@ -2119,6 +2120,30 @@ Related policy: + + AllowGraphingCalculator + + + + + + + + This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. + + + + + + + + + + + text/plain + + + DefaultPrinterName @@ -11023,7 +11048,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and extension. +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. @@ -11034,11 +11059,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) @@ -11541,6 +11566,33 @@ Related policy: + + AllowGraphingCalculator + + + + + 1 + This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. + + + + + + + + + + + text/plain + + + Programs.admx + Programs~AT~WindowsComponents~Calculator + AllowGraphingCalculator + LowestValueMostSecure + + DefaultPrinterName @@ -19509,7 +19561,7 @@ Related policy: - com.microsoft/9.0/MDM/Policy + com.microsoft/10.0/MDM/Policy @@ -19578,6 +19630,99 @@ Related policy: + + Properties + + + + + + + Properties of Win32 App ADMX Ingestion + + + + + + + + + + + + + + + * + + + + + + + Setting Type of Win32 App. Policy Or Preference + + + + + + + + + + + + + + + * + + + + + + + Unique ID of ADMX file + + + + + + + + + + + + + + + Version + + + + + + + + Version of ADMX file + + + + + + + + + + + + + + + + + * @@ -19607,6 +19752,7 @@ Related policy: + Unique ID of ADMX file @@ -20165,6 +20311,30 @@ Related policy: + + BlockNonAdminUserInstall + + + + + + + + + + + + + + + + + + + text/plain + + + DisableStoreOriginatedApps @@ -21098,6 +21268,1785 @@ Related policy: + + Audit + + + + + + + + + + + + + + + + + + + + + AccountLogon_AuditCredentialValidation + + + + + + + + This policy setting allows you to audit events generated by validation tests on user account logon credentials. + +Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. + + + + + + + + + + + text/plain + + + + + AccountLogon_AuditKerberosAuthenticationService + + + + + + + + This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. + +If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. +If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. + + + + + + + + + + + text/plain + + + + + AccountLogon_AuditKerberosServiceTicketOperations + + + + + + + + This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. + +If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. +If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. + + + + + + + + + + + text/plain + + + + + AccountLogon_AuditOtherAccountLogonEvents + + + + + + + + This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. + +Currently, there are no events in this subcategory. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditAccountLockout + + + + + + + + This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. + +If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. + +Logon events are essential for understanding user activity and to detect potential attacks. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditGroupMembership + + + + + + + + This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. + +When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditIPsecExtendedMode + + + + + + + + This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. + +If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditIPsecMainMode + + + + + + + + This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. + +If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditIPsecQuickMode + + + + + + + + This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. + +If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If + you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditLogoff + + + + + + + + This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. + +If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. +If you do not configure this policy setting, no audit event is generated when a logon session is closed. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditLogon + + + + + + + + This policy setting allows you to audit events generated by user account logon attempts on the computer. +Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: + Successful logon attempts. + Failed logon attempts. + Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. + Security identifiers (SIDs) were filtered and not allowed to log on. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditNetworkPolicyServer + + + + + + + + This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. +If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. +If you do not configure this policy settings, IAS and NAP user access requests are not audited. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditOtherLogonLogoffEvents + + + + + + + + This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: + Terminal Services session disconnections. + New Terminal Services sessions. + Locking and unlocking a workstation. + Invoking a screen saver. + Dismissal of a screen saver. + Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. + Access to a wireless network granted to a user or computer account. + Access to a wired 802.1x network granted to a user or computer account. + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditSpecialLogon + + + + + + + + This policy setting allows you to audit events generated by special logons such as the following : + The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. + A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121697). + + + + + + + + + + + text/plain + + + + + AccountLogonLogoff_AuditUserDeviceClaims + + + + + + + + This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. + +User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. + +When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. + + + + + + + + + + + text/plain + + + + + AccountManagement_AuditApplicationGroupManagement + + + + + + + + This policy setting allows you to audit events generated by changes to application groups such as the following: + Application group is created, changed, or deleted. + Member is added or removed from an application group. + +If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an application group changes. + + + + + + + + + + + text/plain + + + + + AccountManagement_AuditComputerAccountManagement + + + + + + + + This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. + +If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a computer account changes. + + + + + + + + + + + text/plain + + + + + AccountManagement_AuditDistributionGroupManagement + + + + + + + + This policy setting allows you to audit events generated by changes to distribution groups such as the following: + Distribution group is created, changed, or deleted. + Member is added or removed from a distribution group. + Distribution group type is changed. + +If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a distribution group changes. + +Note: Events in this subcategory are logged only on domain controllers. + + + + + + + + + + + text/plain + + + + + AccountManagement_AuditOtherAccountManagementEvents + + + + + + + + This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: + The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. + The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. + Changes to the Default Domain Group Policy under the following Group Policy paths: +Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy +Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy + + + + + + + + + + + text/plain + + + + + AccountManagement_AuditSecurityGroupManagement + + + + + + + + This policy setting allows you to audit events generated by changes to security groups such as the following: + Security group is created, changed, or deleted. + Member is added or removed from a security group. + Group type is changed. + +If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a security group changes. + + + + + + + + + + + text/plain + + + + + AccountManagement_AuditUserAccountManagement + + + + + + + + This policy setting allows you to audit changes to user accounts. Events include the following: + A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. + A user account’s password is set or changed. + A security identifier (SID) is added to the SID History of a user account. + The Directory Services Restore Mode password is configured. + Permissions on administrative user accounts are changed. + Credential Manager credentials are backed up or restored. + +If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. + + + + + + + + + + + text/plain + + + + + DetailedTracking_AuditDPAPIActivity + + + + + + + + This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. + +If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. +If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. + + + + + + + + + + + text/plain + + + + + DetailedTracking_AuditPNPActivity + + + + + + + + This policy setting allows you to audit when plug and play detects an external device. + +If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. +If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + + + + + + + + + + + text/plain + + + + + DetailedTracking_AuditProcessCreation + + + + + + + + This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. + +If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a process is created. + + + + + + + + + + + text/plain + + + + + DetailedTracking_AuditProcessTermination + + + + + + + + This policy setting allows you to audit events generated when a process ends. + +If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a process ends. + + + + + + + + + + + text/plain + + + + + DetailedTracking_AuditRPCEvents + + + + + + + + This policy setting allows you to audit inbound remote procedure call (RPC) connections. + +If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. + + + + + + + + + + + text/plain + + + + + DetailedTracking_AuditTokenRightAdjusted + + + + + + + + This policy setting allows you to audit events generated by adjusting the privileges of a token. + + + + + + + + + + + text/plain + + + + + DSAccess_AuditDetailedDirectoryServiceReplication + + + + + + + + This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. + + + + + + + + + + + text/plain + + + + + DSAccess_AuditDirectoryServiceAccess + + + + + + + + This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. + +Only AD DS objects with a matching system access control list (SACL) are logged. + +Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. + + + + + + + + + + + text/plain + + + + + DSAccess_AuditDirectoryServiceChanges + + + + + + + + This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. + +When possible, events logged in this subcategory indicate the old and new values of the object’s properties. + +Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. + +Note: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. + +If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. +If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. + + + + + + + + + + + text/plain + + + + + DSAccess_AuditDirectoryServiceReplication + + + + + + + + This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. + +If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. +If you do not configure this policy setting, no audit event is generated during AD DS replication. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditApplicationGenerated + + + + + + + + This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. +Events in this subcategory include: + Creation of an application client context. + Deletion of an application client context. + Initialization of an application client context. + Other application operations using the Windows Auditing APIs. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditCentralAccessPolicyStaging + + + + + + + + This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. + +If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: +1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. +2) Failure audits when configured records access attempts when: + a) The current central access policy does not grant access but the proposed policy grants access. + b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. + +Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditCertificationServices + + + + + + + + This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. +AD CS operations include the following: + AD CS startup/shutdown/backup/restore. + Changes to the certificate revocation list (CRL). + New certificate requests. + Issuing of a certificate. + Revocation of a certificate. + Changes to the Certificate Manager settings for AD CS. + Changes in the configuration of AD CS. + Changes to a Certificate Services template. + Importing of a certificate. + Publishing of a certification authority certificate is to Active Directory Domain Services. + Changes to the security permissions for AD CS. + Archival of a key. + Importing of a key. + Retrieval of a key. + Starting of Online Certificate Status Protocol (OCSP) Responder Service. + Stopping of Online Certificate Status Protocol (OCSP) Responder Service. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditDetailedFileShare + + + + + + + + This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. + +If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. + +Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditFileShare + + + + + + + + This policy setting allows you to audit attempts to access a shared folder. + +If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. + +Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditFileSystem + + + + + + + + This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see https://go.microsoft.com/fwlink/?LinkId=122083. + +If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. + +Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditFilteringPlatformConnection + + + + + + + + This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: + The Windows Firewall Service blocks an application from accepting incoming connections on the network. + The WFP allows a connection. + The WFP blocks a connection. + The WFP permits a bind to a local port. + The WFP blocks a bind to a local port. + The WFP allows a connection. + The WFP blocks a connection. + The WFP permits an application or service to listen on a port for incoming connections. + The WFP blocks an application or service to listen on a port for incoming connections. + +If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. +If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditFilteringPlatformPacketDrop + + + + + + + + This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditHandleManipulation + + + + + + + + This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. + +If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a handle is manipulated. + +Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditKernelObject + + + + + + + + This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. +Only kernel objects with a matching system access control list (SACL) generate security audit events. + +Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditOtherObjectAccessEvents + + + + + + + + This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. +For scheduler jobs, the following are audited: + Job created. + Job deleted. + Job enabled. + Job disabled. + Job updated. +For COM+ objects, the following are audited: + Catalog object added. + Catalog object updated. + Catalog object deleted. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditRegistry + + + + + + + + This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. + +If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. + +Note: You can set a SACL on a registry object using the Permissions dialog box. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditRemovableStorage + + + + + + + + This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. + +If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. + +If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. + + + + + + + + + + + text/plain + + + + + ObjectAccess_AuditSAM + + + + + + + + This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. +SAM objects include the following: + SAM_ALIAS -- A local group. + SAM_GROUP -- A group that is not a local group. + SAM_USER – A user account. + SAM_DOMAIN – A domain. + SAM_SERVER – A computer account. +If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. +Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified. +Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698). + + + + + + + + + + + text/plain + + + + + PolicyChange_AuditAuthenticationPolicyChange + + + + + + + + This policy setting allows you to audit events generated by changes to the authentication policy such as the following: + Creation of forest and domain trusts. + Modification of forest and domain trusts. + Removal of forest and domain trusts. + Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. + Granting of any of the following user rights to a user or group: + Access This Computer From the Network. + Allow Logon Locally. + Allow Logon Through Terminal Services. + Logon as a Batch Job. + Logon a Service. + Namespace collision. For example, when a new trust has the same name as an existing namespace name. + +If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. + +Note: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. + + + + + + + + + + + text/plain + + + + + PolicyChange_AuditAuthorizationPolicyChange + + + + + + + + This policy setting allows you to audit events generated by changes to the authorization policy such as the following: + Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. + Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. + Changes in the Encrypted File System (EFS) policy. + Changes to the Resource attributes of an object. + Changes to the Central Access Policy (CAP) applied to an object. + +If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when the authorization policy changes. + + + + + + + + + + + text/plain + + + + + PolicyChange_AuditFilteringPlatformPolicyChange + + + + + + + + This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: + IPsec services status. + Changes to IPsec policy settings. + Changes to Windows Firewall policy settings. + Changes to WFP providers and engine. + +If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. + + + + + + + + + + + text/plain + + + + + PolicyChange_AuditMPSSVCRuleLevelPolicyChange + + + + + + + + This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: + Reporting of active policies when Windows Firewall service starts. + Changes to Windows Firewall rules. + Changes to Windows Firewall exception list. + Changes to Windows Firewall settings. + Rules ignored or not applied by Windows Firewall Service. + Changes to Windows Firewall Group Policy settings. + +If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. + + + + + + + + + + + text/plain + + + + + PolicyChange_AuditOtherPolicyChangeEvents + + + + + + + + This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: + Trusted Platform Module (TPM) configuration changes. + Kernel-mode cryptographic self tests. + Cryptographic provider operations. + Cryptographic context operations or modifications. + Applied Central Access Policies (CAPs) changes. + Boot Configuration Data (BCD) modifications. + + + + + + + + + + + text/plain + + + + + PolicyChange_AuditPolicyChange + + + + + + + + This policy setting allows you to audit changes in the security audit policy settings such as the following: + Settings permissions and audit settings on the Audit Policy object. + Changes to the system audit policy. + Registration of security event sources. + De-registration of security event sources. + Changes to the per-user audit settings. + Changes to the value of CrashOnAuditFail. + Changes to the system access control list on a file system or registry object. + Changes to the Special Groups list. + +Note: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. + + + + + + + + + + + text/plain + + + + + PrivilegeUse_AuditNonSensitivePrivilegeUse + + + + + + + + This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). +The following privileges are non-sensitive: + Access Credential Manager as a trusted caller. + Access this computer from the network. + Add workstations to domain. + Adjust memory quotas for a process. + Allow log on locally. + Allow log on through Terminal Services. + Bypass traverse checking. + Change the system time. + Create a pagefile. + Create global objects. + + Create permanent shared objects. + Create symbolic links. + Deny access this computer from the network. + Deny log on as a batch job. + Deny log on as a service. + Deny log on locally. + Deny log on through Terminal Services. + Force shutdown from a remote system. + Increase a process working set. + Increase scheduling priority. + Lock pages in memory. + Log on as a batch job. + Log on as a service. + Modify an object label. + Perform volume maintenance tasks. + Profile single process. + Profile system performance. + Remove computer from docking station. + Shut down the system. + Synchronize directory service data. + +If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. +If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. + + + + + + + + + + + text/plain + + + + + PrivilegeUse_AuditOtherPrivilegeUseEvents + + + + + + + + Not used. + + + + + + + + + + + text/plain + + + + + PrivilegeUse_AuditSensitivePrivilegeUse + + + + + + + + This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: + A privileged service is called. + One of the following privileges are called: + Act as part of the operating system. + Back up files and directories. + Create a token object. + Debug programs. + Enable computer and user accounts to be trusted for delegation. + Generate security audits. + Impersonate a client after authentication. + Load and unload device drivers. + Manage auditing and security log. + Modify firmware environment values. + Replace a process-level token. + Restore files and directories. + Take ownership of files or other objects. + +If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. +If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. + + + + + + + + + + + + text/plain + + + + + System_AuditIPsecDriver + + + + + + + + This policy setting allows you to audit events generated by the IPsec filter driver such as the following: + Startup and shutdown of the IPsec services. + Network packets dropped due to integrity check failure. + Network packets dropped due to replay check failure. + Network packets dropped due to being in plaintext. + Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. + Inability to process IPsec filters. + +If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. + + + + + + + + + + + text/plain + + + + + System_AuditOtherSystemEvents + + + + + + + + This policy setting allows you to audit any of the following events: + Startup and shutdown of the Windows Firewall service and driver. + Security policy processing by the Windows Firewall Service. + Cryptography key file and migration operations. + + + + + + + + + + + text/plain + + + + + System_AuditSecurityStateChange + + + + + + + + This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: + Startup and shutdown of the computer. + Change of system time. + Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. + + + + + + + + + + + text/plain + + + + + System_AuditSecuritySystemExtension + + + + + + + + This policy setting allows you to audit events related to security system extensions or services such as the following: + A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. + A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. +If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. + + + + + + + + + + + text/plain + + + + + System_AuditSystemIntegrity + + + + + + + + This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: + Events that could not be written to the event log because of a problem with the auditing system. + A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. + The detection of a Remote Procedure Call (RPC) that compromises system integrity. + The detection of a hash value of an executable file that is not valid as determined by Code Integrity. + Cryptographic operations that compromise system integrity. + + + + + + + + + + + text/plain + + + + Authentication @@ -21759,6 +23708,30 @@ Related policy: + + SetMinimumEncryptionKeySize + + + + + + + + + + + + + + + + + + + text/plain + + + Browser @@ -23021,7 +24994,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and extension. +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. @@ -23032,11 +25005,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) @@ -25494,6 +27467,30 @@ Related policy: + + DOCacheHostSource + + + + + + + + + + + + + + + + + + + text/plain + + + DODelayBackgroundDownloadFromHttp @@ -25662,6 +27659,30 @@ Related policy: + + DOMaxBackgroundDownloadBandwidth + + + + + + + + + + + + + + + + + + + text/plain + + + DOMaxCacheAge @@ -25711,31 +27732,7 @@ Related policy: - DOMaxDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxUploadBandwidth + DOMaxForegroundDownloadBandwidth @@ -25950,30 +27947,6 @@ Related policy: - - DOPercentageMaxDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - DOPercentageMaxForegroundBandwidth @@ -26328,6 +28301,30 @@ Related policy: + + AllowInstallationOfMatchingDeviceInstanceIDs + + + + + + + + + + + + + + + + + + + text/plain + + + AllowInstallationOfMatchingDeviceSetupClasses @@ -26424,6 +28421,30 @@ Related policy: + + PreventInstallationOfMatchingDeviceInstanceIDs + + + + + + + + + + + + + + + + + + + text/plain + + + PreventInstallationOfMatchingDeviceSetupClasses @@ -27888,6 +29909,124 @@ If you do not configure this policy setting, users will be able to choose whethe + + FactoryComposer + + + + + + + + + + + + + + + + + + + + + BackgroundImagePath + + + + + + + + + + + + + + + + + + + text/plain + + + + + OEMVersion + + + + + + + + + + + + + + + + + + + text/plain + + + + + UserToSignIn + + + + + + + + + + + + + + + + + + + text/plain + + + + + UWPLaunchOnBoot + + + + + + + + + + + + + + + + + + + text/plain + + + + FileExplorer @@ -28767,30 +30906,6 @@ If you do not configure this policy setting, users will be able to choose whethe - - DisableActiveXVersionListAutoDownload - - - - - - - - - - - - - - - - - - - text/plain - - - DisableAdobeFlash @@ -37961,6 +40076,102 @@ If the user has configured a slide show to run on the lock screen when the machi + + LetAppsAccessBackgroundSpatialPerception + + + + + + + + This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. + + + + + + + + + + + text/plain + + + + + LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + + + + + + + + + + + text/plain + + + LetAppsAccessCalendar @@ -44048,6 +46259,90 @@ If you disable or do not configure this policy setting, File History can be acti + + ConfigureJapaneseIMEVersion + + + + + + + + This policy allows the IT admin to configure the Microsoft Japanese IME version in the desktop. +The following list shows the supported values: +0 (default) – The new Microsoft Japanese IME is on by default. Allow to control Microsoft Japanese IME version to use. +1 - The previous version of Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. +2 - The new Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. + + + + + + + + + + + text/plain + + + + + ConfigureSimplifiedChineseIMEVersion + + + + + + + + This policy allows the IT admin to configure the Microsoft Simplified Chinese IME version in the desktop. +The following list shows the supported values: +0 (default) – The new Microsoft Simplified Chinese IME is on by default. Allow to control Microsoft Simplified Chinese IME version to use. +1 - The previous version of Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. +2 - The new Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. + + + + + + + + + + + text/plain + + + + + ConfigureTraditionalChineseIMEVersion + + + + + + + + This policy allows the IT admin to configure the Microsoft Traditional Chinese IME version in the desktop. +The following list shows the supported values: +0 (default) – The new Microsoft Traditional Chinese IME is on by default. Allow to control Microsoft Traditional Chinese IME version to use. +1 - The previous version of Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. +2 - The new Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. + + + + + + + + + + + text/plain + + + EnableTouchKeyboardAutoInvokeInDesktopMode @@ -45857,6 +48152,30 @@ If you disable or do not configure this policy setting, the wake setting as spec + + TargetReleaseVersion + + + + + + + + + + + + + + + + + + + text/plain + + + UpdateNotificationLevel @@ -48510,6 +50829,33 @@ Note: The first sign-in animation will not be shown on Server, so this policy wi LastWrite + + BlockNonAdminUserInstall + + + + + 0 + + + + + + + + + + + + text/plain + + + AppxPackageManager.admx + AppxPackageManager~AT~WindowsComponents~AppxDeployment + BlockNonAdminUserInstall + LowestValueMostSecure + + DisableStoreOriginatedApps @@ -49577,6 +51923,1960 @@ Note: The first sign-in animation will not be shown on Server, so this policy wi + + Audit + + + + + + + + + + + + + + + + + + + AccountLogon_AuditCredentialValidation + + + + + 0 + This policy setting allows you to audit events generated by validation tests on user account logon credentials. + +Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon + Audit Credential Validation + LastWrite + + + + AccountLogon_AuditKerberosAuthenticationService + + + + + 0 + This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. + +If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. +If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon + Audit Kerberos Authentication Service + LastWrite + + + + AccountLogon_AuditKerberosServiceTicketOperations + + + + + 0 + This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. + +If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. +If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon + Audit Kerberos Service Ticket Operations + LastWrite + + + + AccountLogon_AuditOtherAccountLogonEvents + + + + + 0 + This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. + +Currently, there are no events in this subcategory. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon + Audit Other Account Logon Events + LastWrite + + + + AccountLogonLogoff_AuditAccountLockout + + + + + 1 + This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. + +If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. + +Logon events are essential for understanding user activity and to detect potential attacks. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit Account Lockout + LastWrite + + + + AccountLogonLogoff_AuditGroupMembership + + + + + 0 + This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. + +When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit Group Membership + LastWrite + + + + AccountLogonLogoff_AuditIPsecExtendedMode + + + + + 0 + This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. + +If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit IPsec Extended Mode + LastWrite + + + + AccountLogonLogoff_AuditIPsecMainMode + + + + + 0 + This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. + +If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit IPsec Main Mode + LastWrite + + + + AccountLogonLogoff_AuditIPsecQuickMode + + + + + 0 + This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. + +If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If + you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit IPsec Quick Mode + LastWrite + + + + AccountLogonLogoff_AuditLogoff + + + + + 1 + This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. + +If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. +If you do not configure this policy setting, no audit event is generated when a logon session is closed. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit Logoff + LastWrite + + + + AccountLogonLogoff_AuditLogon + + + + + 1 + This policy setting allows you to audit events generated by user account logon attempts on the computer. +Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: + Successful logon attempts. + Failed logon attempts. + Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. + Security identifiers (SIDs) were filtered and not allowed to log on. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit Logon + LastWrite + + + + AccountLogonLogoff_AuditNetworkPolicyServer + + + + + 3 + This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. +If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. +If you do not configure this policy settings, IAS and NAP user access requests are not audited. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit Network Policy Server + LastWrite + + + + AccountLogonLogoff_AuditOtherLogonLogoffEvents + + + + + 0 + This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: + Terminal Services session disconnections. + New Terminal Services sessions. + Locking and unlocking a workstation. + Invoking a screen saver. + Dismissal of a screen saver. + Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. + Access to a wireless network granted to a user or computer account. + Access to a wired 802.1x network granted to a user or computer account. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit Other Logon Logoff Events + LastWrite + + + + AccountLogonLogoff_AuditSpecialLogon + + + + + 1 + This policy setting allows you to audit events generated by special logons such as the following : + The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. + A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121697). + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit Special Logon + LastWrite + + + + AccountLogonLogoff_AuditUserDeviceClaims + + + + + 0 + This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. + +User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. + +When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff + Audit User Device Claims + LastWrite + + + + AccountManagement_AuditApplicationGroupManagement + + + + + 0 + This policy setting allows you to audit events generated by changes to application groups such as the following: + Application group is created, changed, or deleted. + Member is added or removed from an application group. + +If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an application group changes. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management + Audit Application Group Management + LastWrite + + + + AccountManagement_AuditComputerAccountManagement + + + + + 0 + This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. + +If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a computer account changes. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management + Audit Computer Account Management + LastWrite + + + + AccountManagement_AuditDistributionGroupManagement + + + + + 0 + This policy setting allows you to audit events generated by changes to distribution groups such as the following: + Distribution group is created, changed, or deleted. + Member is added or removed from a distribution group. + Distribution group type is changed. + +If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a distribution group changes. + +Note: Events in this subcategory are logged only on domain controllers. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management + Audit Distributio Group Management + LastWrite + + + + AccountManagement_AuditOtherAccountManagementEvents + + + + + 0 + This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: + The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. + The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. + Changes to the Default Domain Group Policy under the following Group Policy paths: +Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy +Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management + Audit Other Account Management Events + LastWrite + + + + AccountManagement_AuditSecurityGroupManagement + + + + + 1 + This policy setting allows you to audit events generated by changes to security groups such as the following: + Security group is created, changed, or deleted. + Member is added or removed from a security group. + Group type is changed. + +If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a security group changes. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management + Audit Security Group Management + LastWrite + + + + AccountManagement_AuditUserAccountManagement + + + + + 1 + This policy setting allows you to audit changes to user accounts. Events include the following: + A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. + A user account’s password is set or changed. + A security identifier (SID) is added to the SID History of a user account. + The Directory Services Restore Mode password is configured. + Permissions on administrative user accounts are changed. + Credential Manager credentials are backed up or restored. + +If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management + Audit User Account Management + LastWrite + + + + DetailedTracking_AuditDPAPIActivity + + + + + 0 + This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. + +If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. +If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking + Audit DPAPI Activity + LastWrite + + + + DetailedTracking_AuditPNPActivity + + + + + 0 + This policy setting allows you to audit when plug and play detects an external device. + +If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. +If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking + Audit PNP Activity + LastWrite + + + + DetailedTracking_AuditProcessCreation + + + + + 0 + This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. + +If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a process is created. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking + Audit Process Creation + LastWrite + + + + DetailedTracking_AuditProcessTermination + + + + + 0 + This policy setting allows you to audit events generated when a process ends. + +If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a process ends. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking + Audit Process Termination + LastWrite + + + + DetailedTracking_AuditRPCEvents + + + + + 0 + This policy setting allows you to audit inbound remote procedure call (RPC) connections. + +If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking + Audit RPC Events + LastWrite + + + + DetailedTracking_AuditTokenRightAdjusted + + + + + 0 + This policy setting allows you to audit events generated by adjusting the privileges of a token. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking + Audit Token Right Adjusted + LastWrite + + + + DSAccess_AuditDetailedDirectoryServiceReplication + + + + + 0 + This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access + Audit Detailed Directory Service Replication + LastWrite + + + + DSAccess_AuditDirectoryServiceAccess + + + + + 0 + This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. + +Only AD DS objects with a matching system access control list (SACL) are logged. + +Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access + Audit Directory Service Access + LastWrite + + + + DSAccess_AuditDirectoryServiceChanges + + + + + 0 + This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. + +When possible, events logged in this subcategory indicate the old and new values of the object’s properties. + +Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. + +Note: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. + +If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. +If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access + Audit Directory Service Changes + LastWrite + + + + DSAccess_AuditDirectoryServiceReplication + + + + + 0 + This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. + +If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. +If you do not configure this policy setting, no audit event is generated during AD DS replication. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access + Audit Directory Service Replication + LastWrite + + + + ObjectAccess_AuditApplicationGenerated + + + + + 0 + This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. +Events in this subcategory include: + Creation of an application client context. + Deletion of an application client context. + Initialization of an application client context. + Other application operations using the Windows Auditing APIs. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Application Generated + LastWrite + + + + ObjectAccess_AuditCentralAccessPolicyStaging + + + + + 0 + This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. + +If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: +1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. +2) Failure audits when configured records access attempts when: + a) The current central access policy does not grant access but the proposed policy grants access. + b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. + +Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Central Access Policy Staging + LastWrite + + + + ObjectAccess_AuditCertificationServices + + + + + 0 + This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. +AD CS operations include the following: + AD CS startup/shutdown/backup/restore. + Changes to the certificate revocation list (CRL). + New certificate requests. + Issuing of a certificate. + Revocation of a certificate. + Changes to the Certificate Manager settings for AD CS. + Changes in the configuration of AD CS. + Changes to a Certificate Services template. + Importing of a certificate. + Publishing of a certification authority certificate is to Active Directory Domain Services. + Changes to the security permissions for AD CS. + Archival of a key. + Importing of a key. + Retrieval of a key. + Starting of Online Certificate Status Protocol (OCSP) Responder Service. + Stopping of Online Certificate Status Protocol (OCSP) Responder Service. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Certification Services + LastWrite + + + + ObjectAccess_AuditDetailedFileShare + + + + + 0 + This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. + +If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. + +Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Detailed File Share + LastWrite + + + + ObjectAccess_AuditFileShare + + + + + 0 + This policy setting allows you to audit attempts to access a shared folder. + +If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. + +Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit File Share + LastWrite + + + + ObjectAccess_AuditFileSystem + + + + + 0 + This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see https://go.microsoft.com/fwlink/?LinkId=122083. + +If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. + +Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit File System + LastWrite + + + + ObjectAccess_AuditFilteringPlatformConnection + + + + + 0 + This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: + The Windows Firewall Service blocks an application from accepting incoming connections on the network. + The WFP allows a connection. + The WFP blocks a connection. + The WFP permits a bind to a local port. + The WFP blocks a bind to a local port. + The WFP allows a connection. + The WFP blocks a connection. + The WFP permits an application or service to listen on a port for incoming connections. + The WFP blocks an application or service to listen on a port for incoming connections. + +If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. +If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Filtering Platform Connection + LastWrite + + + + ObjectAccess_AuditFilteringPlatformPacketDrop + + + + + 0 + This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Filtering Platform Packet Drop + LastWrite + + + + ObjectAccess_AuditHandleManipulation + + + + + 0 + This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. + +If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a handle is manipulated. + +Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Handle Manipulation + LastWrite + + + + ObjectAccess_AuditKernelObject + + + + + 0 + This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. +Only kernel objects with a matching system access control list (SACL) generate security audit events. + +Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Kernel Object + LastWrite + + + + ObjectAccess_AuditOtherObjectAccessEvents + + + + + 0 + This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. +For scheduler jobs, the following are audited: + Job created. + Job deleted. + Job enabled. + Job disabled. + Job updated. +For COM+ objects, the following are audited: + Catalog object added. + Catalog object updated. + Catalog object deleted. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Other Object Access Events + LastWrite + + + + ObjectAccess_AuditRegistry + + + + + 0 + This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. + +If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. + +Note: You can set a SACL on a registry object using the Permissions dialog box. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Registry + LastWrite + + + + ObjectAccess_AuditRemovableStorage + + + + + 0 + This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. + +If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. + +If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit Removable Storage + LastWrite + + + + ObjectAccess_AuditSAM + + + + + 0 + This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. +SAM objects include the following: + SAM_ALIAS -- A local group. + SAM_GROUP -- A group that is not a local group. + SAM_USER – A user account. + SAM_DOMAIN – A domain. + SAM_SERVER – A computer account. +If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. +Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified. +Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698). + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access + Audit SAM + LastWrite + + + + PolicyChange_AuditAuthenticationPolicyChange + + + + + 1 + This policy setting allows you to audit events generated by changes to the authentication policy such as the following: + Creation of forest and domain trusts. + Modification of forest and domain trusts. + Removal of forest and domain trusts. + Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. + Granting of any of the following user rights to a user or group: + Access This Computer From the Network. + Allow Logon Locally. + Allow Logon Through Terminal Services. + Logon as a Batch Job. + Logon a Service. + Namespace collision. For example, when a new trust has the same name as an existing namespace name. + +If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. + +Note: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change + Audit Authentication Policy Change + LastWrite + + + + PolicyChange_AuditAuthorizationPolicyChange + + + + + 0 + This policy setting allows you to audit events generated by changes to the authorization policy such as the following: + Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. + Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. + Changes in the Encrypted File System (EFS) policy. + Changes to the Resource attributes of an object. + Changes to the Central Access Policy (CAP) applied to an object. + +If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when the authorization policy changes. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change + Audit Authorization Policy Change + LastWrite + + + + PolicyChange_AuditFilteringPlatformPolicyChange + + + + + 0 + This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: + IPsec services status. + Changes to IPsec policy settings. + Changes to Windows Firewall policy settings. + Changes to WFP providers and engine. + +If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change + Audit Filtering Platform Policy Change + LastWrite + + + + PolicyChange_AuditMPSSVCRuleLevelPolicyChange + + + + + 0 + This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: + Reporting of active policies when Windows Firewall service starts. + Changes to Windows Firewall rules. + Changes to Windows Firewall exception list. + Changes to Windows Firewall settings. + Rules ignored or not applied by Windows Firewall Service. + Changes to Windows Firewall Group Policy settings. + +If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change + Audit MPSSVC Rule Level Policy Change + LastWrite + + + + PolicyChange_AuditOtherPolicyChangeEvents + + + + + 0 + This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: + Trusted Platform Module (TPM) configuration changes. + Kernel-mode cryptographic self tests. + Cryptographic provider operations. + Cryptographic context operations or modifications. + Applied Central Access Policies (CAPs) changes. + Boot Configuration Data (BCD) modifications. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change + Audit Other Policy Change Events + LastWrite + + + + PolicyChange_AuditPolicyChange + + + + + 1 + This policy setting allows you to audit changes in the security audit policy settings such as the following: + Settings permissions and audit settings on the Audit Policy object. + Changes to the system audit policy. + Registration of security event sources. + De-registration of security event sources. + Changes to the per-user audit settings. + Changes to the value of CrashOnAuditFail. + Changes to the system access control list on a file system or registry object. + Changes to the Special Groups list. + +Note: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change + Audit Policy Change + LastWrite + + + + PrivilegeUse_AuditNonSensitivePrivilegeUse + + + + + 0 + This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). +The following privileges are non-sensitive: + Access Credential Manager as a trusted caller. + Access this computer from the network. + Add workstations to domain. + Adjust memory quotas for a process. + Allow log on locally. + Allow log on through Terminal Services. + Bypass traverse checking. + Change the system time. + Create a pagefile. + Create global objects. + + Create permanent shared objects. + Create symbolic links. + Deny access this computer from the network. + Deny log on as a batch job. + Deny log on as a service. + Deny log on locally. + Deny log on through Terminal Services. + Force shutdown from a remote system. + Increase a process working set. + Increase scheduling priority. + Lock pages in memory. + Log on as a batch job. + Log on as a service. + Modify an object label. + Perform volume maintenance tasks. + Profile single process. + Profile system performance. + Remove computer from docking station. + Shut down the system. + Synchronize directory service data. + +If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. +If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use + Audit Non Sensitive Privilege Use + LastWrite + + + + PrivilegeUse_AuditOtherPrivilegeUseEvents + + + + + 0 + Not used. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use + Audit Other Privilege Use Events + LastWrite + + + + PrivilegeUse_AuditSensitivePrivilegeUse + + + + + 0 + This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: + A privileged service is called. + One of the following privileges are called: + Act as part of the operating system. + Back up files and directories. + Create a token object. + Debug programs. + Enable computer and user accounts to be trusted for delegation. + Generate security audits. + Impersonate a client after authentication. + Load and unload device drivers. + Manage auditing and security log. + Modify firmware environment values. + Replace a process-level token. + Restore files and directories. + Take ownership of files or other objects. + +If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. +If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. + + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use + Audit Sensitive Privilege Use + LastWrite + + + + System_AuditIPsecDriver + + + + + 0 + This policy setting allows you to audit events generated by the IPsec filter driver such as the following: + Startup and shutdown of the IPsec services. + Network packets dropped due to integrity check failure. + Network packets dropped due to replay check failure. + Network packets dropped due to being in plaintext. + Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. + Inability to process IPsec filters. + +If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System + Audit IPsec Driver + LastWrite + + + + System_AuditOtherSystemEvents + + + + + 3 + This policy setting allows you to audit any of the following events: + Startup and shutdown of the Windows Firewall service and driver. + Security policy processing by the Windows Firewall Service. + Cryptography key file and migration operations. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System + Audit Other System Events + LastWrite + + + + System_AuditSecurityStateChange + + + + + 1 + This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: + Startup and shutdown of the computer. + Change of system time. + Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System + Audit Security State Change + LastWrite + + + + System_AuditSecuritySystemExtension + + + + + 0 + This policy setting allows you to audit events related to security system extensions or services such as the following: + A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. + A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. +If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. +If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System + Audit Security System Extension + LastWrite + + + + System_AuditSystemIntegrity + + + + + 3 + This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: + Events that could not be written to the event log because of a problem with the auditing system. + A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. + The detection of a Remote Procedure Call (RPC) that compromises system integrity. + The detection of a hash value of an executable file that is not valid as determined by Code Integrity. + Cryptographic operations that compromise system integrity. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System + Audit System Integrity + LastWrite + + + Authentication @@ -50264,6 +54564,30 @@ Note: The first sign-in animation will not be shown on Server, so this policy wi LastWrite + + SetMinimumEncryptionKeySize + + + + + 0 + + + + + + + + + + + + text/plain + + + LastWrite + + Browser @@ -51675,7 +55999,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and extension. +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. @@ -51686,11 +56010,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) @@ -54424,6 +58748,34 @@ Related policy: LastWrite + + DOCacheHostSource + + + + + 0 + + + + + + + + + + + + text/plain + + + DeliveryOptimization.admx + CacheHostSource + DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat + CacheHostSource + LastWrite + + DODelayBackgroundDownloadFromHttp @@ -54619,6 +58971,34 @@ Related policy: LastWrite + + DOMaxBackgroundDownloadBandwidth + + + + + 0 + + + + + + + + + + + + text/plain + + + DeliveryOptimization.admx + MaxBackgroundDownloadBandwidth + DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat + MaxBackgroundDownloadBandwidth + LastWrite + + DOMaxCacheAge @@ -54676,7 +59056,7 @@ Related policy: - DOMaxDownloadBandwidth + DOMaxForegroundDownloadBandwidth @@ -54697,37 +59077,9 @@ Related policy: DeliveryOptimization.admx - MaxDownloadBandwidth + MaxForegroundDownloadBandwidth DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxDownloadBandwidth - LastWrite - - - - DOMaxUploadBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxUploadBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxUploadBandwidth + MaxForegroundDownloadBandwidth LastWrite @@ -54954,35 +59306,6 @@ Related policy: LastWrite - - DOPercentageMaxDownloadBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - DeliveryOptimization.admx - PercentageMaxDownloadBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - PercentageMaxDownloadBandwidth - LastWrite - - DOPercentageMaxForegroundBandwidth @@ -55429,6 +59752,33 @@ Related policy: LastWrite + + AllowInstallationOfMatchingDeviceInstanceIDs + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_Instance_IDs_Allow + LastWrite + + AllowInstallationOfMatchingDeviceSetupClasses @@ -55537,6 +59887,33 @@ Related policy: LastWrite + + PreventInstallationOfMatchingDeviceInstanceIDs + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_Instance_IDs_Deny + LastWrite + + PreventInstallationOfMatchingDeviceSetupClasses @@ -57087,6 +61464,118 @@ If you do not configure this policy setting, users will be able to choose whethe + + FactoryComposer + + + + + + + + + + + + + + + + + + + BackgroundImagePath + + + + + + + + + + + + + + + + + text/plain + + LastWrite + + + + OEMVersion + + + + + unset; partners can set via settings customization! + + + + + + + + + + + + text/plain + + LastWrite + + + + UserToSignIn + + + + + + + + + + + + + + + + + text/plain + + LastWrite + + + + UWPLaunchOnBoot + + + + + + + + + + + + + + + + + text/plain + + LastWrite + + + FileExplorer @@ -58055,33 +62544,6 @@ If you do not configure this policy setting, users will be able to choose whethe LastWrite - - DisableActiveXVersionListAutoDownload - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VersionListAutomaticDownloadDisable - LastWrite - - DisableAdobeFlash @@ -68232,6 +72694,102 @@ If the user has configured a slide show to run on the lock screen when the machi ; + + LetAppsAccessBackgroundSpatialPerception + + + + + 0 + This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. + + + + + + + + + + + text/plain + + + HighestValueMostSecure + + + + LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + + + + + + + + + + + text/plain + + LastWrite + ; + + + + LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + + + + + + + + + + + text/plain + + LastWrite + ; + + + + LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + + + + + + + + + + + text/plain + + LastWrite + ; + + LetAppsAccessCalendar @@ -74951,6 +79509,99 @@ If you disable or do not configure this policy setting, File History can be acti LowestValueMostSecure + + ConfigureJapaneseIMEVersion + + + + + 0 + This policy allows the IT admin to configure the Microsoft Japanese IME version in the desktop. +The following list shows the supported values: +0 (default) – The new Microsoft Japanese IME is on by default. Allow to control Microsoft Japanese IME version to use. +1 - The previous version of Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. +2 - The new Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. + + + + + + + + + + + text/plain + + + EAIME.admx + EAIME~AT~WindowsComponents~L_IME + L_ConfigureJapaneseImeVersion + LowestValueMostSecure + + + + ConfigureSimplifiedChineseIMEVersion + + + + + 0 + This policy allows the IT admin to configure the Microsoft Simplified Chinese IME version in the desktop. +The following list shows the supported values: +0 (default) – The new Microsoft Simplified Chinese IME is on by default. Allow to control Microsoft Simplified Chinese IME version to use. +1 - The previous version of Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. +2 - The new Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. + + + + + + + + + + + text/plain + + + EAIME.admx + EAIME~AT~WindowsComponents~L_IME + L_ConfigureSimplifiedChineseImeVersion + LowestValueMostSecure + + + + ConfigureTraditionalChineseIMEVersion + + + + + 0 + This policy allows the IT admin to configure the Microsoft Traditional Chinese IME version in the desktop. +The following list shows the supported values: +0 (default) – The new Microsoft Traditional Chinese IME is on by default. Allow to control Microsoft Traditional Chinese IME version to use. +1 - The previous version of Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. +2 - The new Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. + + + + + + + + + + + text/plain + + + EAIME.admx + EAIME~AT~WindowsComponents~L_IME + L_ConfigureTraditionalChineseImeVersion + LowestValueMostSecure + + EnableTouchKeyboardAutoInvokeInDesktopMode @@ -76956,6 +81607,33 @@ If you disable or do not configure this policy setting, the wake setting as spec LastWrite + + TargetReleaseVersion + + + + + + + + + + + + + + + + + text/plain + + WindowsUpdate.admx + TargetReleaseVersionId + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat + TargetReleaseVersion + LastWrite + + UpdateNotificationLevel diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index 5e0bc0b2d9..48baff3fe8 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -1,6 +1,6 @@ --- title: PXLOGICAL configuration service provider -description: PXLOGICAL configuration service provider +description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. ms.assetid: b5fc84d4-aa32-4edd-95f1-a6a9c0feb459 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 70668fa9de..e7cb92b9c4 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -45,12 +45,16 @@ Setting a null (empty) date will delete the existing schedule. In accordance wit

      The supported operations are Get, Add, Replace, and Delete.

      +

      The supported data type is "String".

      + **Schedule/DailyRecurrent**

      This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
      Example to configure: 2018-10-25T18:00:00

      The supported operations are Get, Add, Replace, and Delete.

      +

      The supported data type is "String".

      + ## Related topics diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index ae536fae17..3beb6993e3 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -1,6 +1,6 @@ --- title: Reclaim seat from user -description: The Reclaim seat from user operation returns reclaimed seats for a user in the Micosoft Store for Business. +description: The Reclaim seat from user operation returns reclaimed seats for a user in the Microsoft Store for Business. ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C ms.reviewer: manager: dansimp @@ -9,12 +9,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 09/18/2017 +ms.date: 05/05/2020 --- # Reclaim seat from user -The **Reclaim seat from user** operation returns reclaimed seats for a user in the Micosoft Store for Business. +The **Reclaim seat from user** operation returns reclaimed seats for a user in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index cfa669f4e5..be9c8a5339 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -21,7 +21,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent   ## Register your free Azure Active Directory subscription -1. Sign in to the Office 365 portal at using your organization's account. +1. Sign in to the Microsoft 365 admin center at using your organization's account. ![register azuread](images/azure-ad-add-tenant10.png) diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index 3ea4ca8ee0..57368cb103 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -1,6 +1,6 @@ --- title: RemoteLock CSP -description: RemoteLock CSP +description: Learn how RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set. ms.assetid: c7889331-5aa3-4efe-9a7e-20d3f433659b ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index bdf604d6d8..3ee8a2cd21 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -48,16 +48,16 @@ Supported operation is Exec. Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. **AutomaticRedeployment** -Added in Windows 10, next major update. Node for the Autopilot Reset operation. +Added in Windows 10, version 1809. Node for the Autopilot Reset operation. **AutomaticRedeployment/doAutomaticRedeployment** -Added in Windows 10, next major update. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. +Added in Windows 10, version 1809. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. **AutomaticRedeployment/LastError** -Added in Windows 10, next major update. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). +Added in Windows 10, version 1809. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). **AutomaticRedeployment/Status** -Added in Windows 10, next major update. Status value indicating current state of an Autopilot Reset operation. +Added in Windows 10, version 1809. Status value indicating current state of an Autopilot Reset operation. Supported values: diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md index efafe7ae2f..1b4f1ec6bc 100644 --- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -1,6 +1,6 @@ --- title: REST API reference for Microsoft Store for Business -description: REST API reference for Microsoft Store for Business +description: REST API reference for Microsoft Store for Business--includes available operations and data structures. MS-HAID: - 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' - 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index eaae458518..cf00680823 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -1,6 +1,6 @@ --- title: SharedPC CSP -description: SharedPC CSP +description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage. ms.assetid: 31273166-1A1E-4F96-B176-CB42ECB80957 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index ee4f4c5e68..9d9be94f93 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -1,6 +1,6 @@ --- title: Storage DDF file -description: Storage DDF file +description: See how storage configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: 247062A3-4DFB-4B14-A3D1-68D02C27703C ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 64077761f8..28d0b9c42e 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -14,9 +14,6 @@ ms.date: 09/12/2019 # SUPL CSP -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - The SUPL configuration service provider is used to configure the location client, as shown in the following table: @@ -89,7 +86,7 @@ For OMA DM, if the format for this node is incorrect the entry will be ignored a Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator. **FullVersion** -Added in the next major release of Windows 10. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. +Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. **MCCMNCPairs** Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the device uses the default location service and does not use SUPL. diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index e2b10b625a..2c1db8dd46 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -9,14 +9,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 07/20/2018 +ms.date: 06/03/2020 --- # SUPL DDF file -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **SUPL** configuration service provider (CSP). Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index ab3a46a409..14cd5810b2 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -260,7 +260,7 @@ Note that the data payload of the SyncML needs to be encoded so that it does not The **LocURI** for the above GP policy is: -`.\Device\Vendor\MSFT\Policy\Config\AppVirtualization\PublishingAllowServer2` +`./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2` To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 1c13aa99ad..eecc7c7075 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -175,6 +175,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro + diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 79992abc08..70f5a31c7c 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,6 +1,6 @@ --- title: WiFi CSP -description: WiFi CSP +description: The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. ms.assetid: f927cb5f-9555-4029-838b-03fb68937f06 ms.reviewer: manager: dansimp @@ -102,7 +102,7 @@ Added in Windows 10, version 1607. Optional. When set to true it enables Web Pr Value type is bool. **WiFiCost** -Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted. +Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behavior: Unrestricted. Supported values: diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index 8757e65d3b..b22b7284fa 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -1,6 +1,6 @@ --- title: Win32AppInventory DDF file -description: Win32AppInventory DDF file +description: See the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: F6BCC10B-BFE4-40AB-AEEE-34679A4E15B0 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 7831cfbce6..28421dc466 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -1,6 +1,6 @@ --- title: WindowsDefenderApplicationGuard CSP -description: WindowsDefenderApplicationGuard CSP +description: Configure the settings in Windows Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index 6b319f1404..e519d6dcd8 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,6 +1,6 @@ --- title: WindowsDefenderApplicationGuard DDF file -description: WindowsDefenderApplicationGuard DDF file +description: See the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 92f6496c2d..d4f5426134 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -34,3 +34,23 @@ Supported operations are Add, Get, Replace, and Delete. Value type is string. Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. Supported operations are Add, Get, Replace, and Delete. Value type is integer. + +The following example shows how to add a wired network profile: +```xml + + + + 1 + + + ./Device/Vendor/MSFT/WiredNetwork/LanXML + + + chr + + falsetrue2500025falsetruefalse26falsefalsefalsetruefalsetrue + + + + +``` diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 914c39c364..206aa9dbc0 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -1,6 +1,6 @@ --- title: WMI providers supported in Windows 10 -description: WMI providers supported in Windows 10 +description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). MS-HAID: - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index da5cc3e5c8..3462504a92 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -25,6 +25,33 @@ ms.topic: reference Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591). +## New Group Policy settings in Windows 10, version 1903 + +The following Group Policy settings were added in Windows 10, version 1903: + +**System** + +- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options +- System\Storage Sense\Allow Storage Sense +- System\Storage Sense\Allow Storage Sense Temporary Files cleanup +- System\Storage Sense\Configure Storage Sense +- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold +- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold +- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold +- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems + + +**Windows Components** + +- Windows Components\App Privacy\Let Windows apps activate with voice +- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked +- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline +- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics +- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics +- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds) +- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds) +- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections +- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot ## New Group Policy settings in Windows 10, version 1809 @@ -148,8 +175,8 @@ The following Group Policy settings were added in Windows 10, version 1809: - Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Remove remote desktop wallpaper - Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions - Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions -- Windows Components\Windows Defender Antivirus\Configure detection for potentially unwanted applications -- Windows Components\Windows Defender Antivirus\Scan\Configure low CPU priority for scheduled scans +- Windows Components\Microsoft Defender Antivirus\Configure detection for potentially unwanted applications +- Windows Components\Microsoft Defender Antivirus\Scan\Configure low CPU priority for scheduled scans - Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard - Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard - Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user’s device @@ -291,12 +318,12 @@ The following Group Policy settings were added in Windows 10, version 1709: - Windows Components\Search\Allow Cloud Search - Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard - Windows Components\Windows Defender Application Guard\Allow auditing events in Windows Defender Application Guard -- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites -- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure Controlled folder access -- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules -- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Exclude files and paths from Attack Surface Reduction Rules -- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure allowed applications -- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure protected folders +- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites +- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure Controlled folder access +- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules +- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Exclude files and paths from Attack Surface Reduction Rules +- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure allowed applications +- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure protected folders - Windows Components\Windows Defender Exploit Guard\Exploit Protection\Use a common set of exploit protection settings - Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Virus and threat protection area - Windows Components\Windows Defender Security Center\Firewall and network protection\Hide the Firewall and network protection area @@ -431,9 +458,9 @@ The following Group Policy settings were added in Windows 10, version 1703: - Windows Components\Smart Card\Turn on certificate propagation from smart card - Windows Components\Tablet PC\Pen UX Behaviors\Prevent flicks - Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) -- Windows Components\Windows Defender Antivirus\Real-time Protection\Turn on behavior monitoring -- Windows Components\Windows Defender Antivirus\Signature Updates\Define file shares for downloading definition updates -- Windows Components\Windows Defender Antivirus\Signature Updates\Turn on scan after signature update +- Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring +- Windows Components\Microsoft Defender Antivirus\Signature Updates\Define file shares for downloading definition updates +- Windows Components\Microsoft Defender Antivirus\Signature Updates\Turn on scan after signature update - Windows Components\File Explorer\Display confirmation dialog when deleting files - Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Allow OpenSearch queries in File Explorer - Windows Components\Windows Update\Remove access to use all Windows Update features @@ -496,4 +523,3 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId= - diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 28f7edaab0..d0806c95e1 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -8,8 +8,8 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.date: 8/22/2019 -ms.reviewer: -manager: dcscontentpm +ms.reviewer: dcscontentpm +manager: dansimp --- # Configure system failure and recovery options in Windows diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 3acffc551f..667776a7f8 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -110,10 +110,10 @@ To verify the BCD entries: >[!NOTE] >This output may not contain a path. -2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. - >[!NOTE] - >If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension. + > [!NOTE] + > If the computer is UEFI-based, the filepath value specified in the **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension. ![bcdedit](images/screenshot1.png) @@ -279,4 +279,3 @@ The reason that these entries may affect us is because there may be an entry in * `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` ![SFC scannow](images/sfc-scannow.png) - diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md index b6a0283109..378c042899 100644 --- a/windows/client-management/troubleshoot-tcpip.md +++ b/windows/client-management/troubleshoot-tcpip.md @@ -1,6 +1,6 @@ --- title: Advanced troubleshooting for TCP/IP issues -description: Learn how to troubleshoot TCP/IP issues. +description: Learn how to troubleshoot common problems in a TCP/IP network environment. ms.prod: w10 ms.sitesec: library ms.topic: troubleshooting diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index c9691539ef..3a584ddb8f 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -2,7 +2,7 @@ title: Advanced troubleshooting for Windows-based computer freeze issues ms.reviewer: manager: dansimp -description: Learn how to troubleshoot computer freeze issues. +description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers. ms.prod: w10 ms.mktglfcycl: ms.sitesec: library diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 7428624219..0d01784273 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,21 +1,27 @@ # [Configure Windows 10](index.md) ## [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) ## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md) -## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) -### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) -#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md) -#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/cortana-at-work-scenario-2.md) -#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/cortana-at-work-scenario-3.md) -#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/cortana-at-work-scenario-4.md) -#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/cortana-at-work-scenario-5.md) -#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/cortana-at-work-scenario-6.md) -#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md) -### [Set up and test Cortana with Office 365 in your organization](cortana-at-work/cortana-at-work-o365.md) -### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work/cortana-at-work-crm.md) -### [Set up and test Cortana for Power BI in your organization](cortana-at-work/cortana-at-work-powerbi.md) -### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md) -### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md) -### [Send feedback about Cortana at work back to Microsoft](cortana-at-work/cortana-at-work-feedback.md) +## [Configure Cortana in Windows 10](cortana-at-work/cortana-at-work-overview.md) +## [Set up and test Cortana in Windows 10, version 2004 and later](cortana-at-work/set-up-and-test-cortana-in-windows-10.md) +## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) +### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/cortana-at-work-scenario-1.md) +### [Test scenario 2 - Perform a Bing search with Cortana](cortana-at-work/cortana-at-work-scenario-2.md) +### [Test scenario 3 - Set a reminder](cortana-at-work/cortana-at-work-scenario-3.md) +### [Test scenario 4 - Use Cortana to find free time on your calendar](cortana-at-work/cortana-at-work-scenario-4.md) +### [Test scenario 5 - Find out about a person](cortana-at-work/cortana-at-work-scenario-5.md) +### [Test scenario 6 - Change your language and perform a quick search with Cortana](cortana-at-work/cortana-at-work-scenario-6.md) +## [Send feedback about Cortana back to Microsoft](cortana-at-work/cortana-at-work-feedback.md) +## [Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization](cortana-at-work/cortana-at-work-o365.md) +## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) +### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/test-scenario-1.md) +### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/test-scenario-2.md) +### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/test-scenario-3.md) +### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/test-scenario-4.md) +### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/test-scenario-5.md) +### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/test-scenario-6.md) +### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md) +## [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md) +## [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md) ## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) ## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md) ### [Prepare a device for kiosk configuration](kiosk-prepare.md) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index 250b7d99b0..9e2aea142f 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -13,10 +13,6 @@ manager: dansimp --- # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index 8def5a04c7..9b2fcfb9c3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -1,5 +1,5 @@ --- -title: Send feedback about Cortana at work back to Microsoft (Windows 10) +title: Send feedback about Cortana at work back to Microsoft description: How to send feedback to Microsoft about Cortana at work. ms.prod: w10 ms.mktglfcycl: manage @@ -12,15 +12,14 @@ ms.reviewer: manager: dansimp --- -# Send feedback about Cortana at work back to Microsoft -**Applies to:** +# Send feedback about Cortana back to Microsoft -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues. -We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems. +:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page"::: -![Cortana at work, showing how to provide feedback to Microsoft](../images/cortana-feedback.png) +To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided. -If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Program feedback app. For info about the feedback app, see [How to use Windows Insider Preview – Updates and feedback](https://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc). +:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: +In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 3ec17f6e6c..d915ec9aee 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -1,5 +1,5 @@ --- -title: Set up and test Cortana with Office 365 in your organization (Windows 10) +title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: w10 ms.mktglfcycl: manage @@ -12,63 +12,45 @@ ms.reviewer: manager: dansimp --- -# Set up and test Cortana with Office 365 in your organization -**Applies to:** +# Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 -Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, do meeting prep work like researching people in LinkedIn or getting documents ready, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips. +## What can you do with in Windows 10, versions 1909 and earlier? +Your employees can use Cortana to help manage their day and be more productive by getting quick answers to common questions, setting reminders, adding tasks to their To-Do lists, and find out where their next meeting is. -But Cortana works even harder when she connects to Office 365, helping employees to be notified about unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late. +**See also:** -![Cortana at work, showing the day's schedule pulled from Office 365](../images/cortana-o365-screen.png) +[Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10). -We’re continuing to add more and more capabilities to Cortana so she can become even more helpful with your productivity-related tasks, such as emailing, scheduling, and other tasks that are important to help you be successful. +### Before you begin +There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier. ->[!NOTE] ->For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717379). +- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana's notebook. They must also authorize Cortana to access Microsoft 365 on their behalf. -## Before you begin -There are a few things to be aware of before you start using Cortana with Office 365 in your organization. +- **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy). -- **Software requirements.** O365 integration with Cortana is available in all countries/regions where Cortana is supported for consumers today. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, it will also become available to organizations. - -- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana’s notebook. They must also authorize Cortana to access Office 365 on their behalf. - -- **Office 365 Trust Center.** Cortana isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419). +- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](https://go.microsoft.com/fwlink/p/?LinkId=620763). -## Turn on Cortana with Office 365 on employees’ devices -You must tell your employees to turn on Cortana before they’ll be able to use it with Office 365. +### Turn on Cortana enterprise services on employees' devices +Your employees must connect Cortana to their Microsoft 365 account to be able to use skills like email and calendar. -**To turn on local Cortana with Office 365** +#### Turn on Cortana enterprise services -1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon. +1. Select the **Cortana** search box in the taskbar, and then select the **Notebook** icon. -2. Click on **Connected Services**, click **Office 365**, and then click **Connect**. - - ![Cotana at work, showing how to turn on the connected services for Office 365](../images/cortana-connect-o365.png) - - The employee can also disconnect by clicking **Disconnect** from the **Office 365** screen. - -## Turn off Cortana with Office 365 -Cortana can only access data in your Office 365 org when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off in the Microsoft 365 admin center. - -**To turn off Cortana with Office 365** -1. [Sign in to Office 365](https://www.office.com/signin) using your Azure AD account. - -2. Go to the [admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). - -3. Expand **Service Settings**, and select **Cortana**. - -4. Click **Cortana** to toggle Cortana off. - - All Office 365 functionality related to Cortana is turned off in your organization and your employees are unable to use her at work. +2. Select **Manage Skills** , select **Manage accounts** , and under **Microsoft 365** select **Link**. The employee will be directed to sign into their Microsoft 365 account. +3. The employee can also disconnect by selecting **Microsoft 365**, then **Unlink**. +#### Turn off Cortana enterprise services +Cortana in Windows 10, versions 1909 and earlier can only access data in your Microsoft 365 organization when it's turned on. If you don't want Cortana to access your corporate data, you can turn it off in the Microsoft 365 admin center. +1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/) using your admin account. +2. Select the app launcher icon in the upper-left and choose **Admin**. +3. Expand **Settings** and select **Org Settings**. +4. Select **Cortana** to toggle Cortana's access to Microsoft 365 data off. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index cad5f5470d..5158bc4ada 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -1,5 +1,5 @@ --- -title: Cortana integration in your business or enterprise (Windows 10) +title: Configure Cortana in Windows 10 ms.reviewer: manager: dansimp description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. @@ -11,53 +11,81 @@ ms.localizationpriority: medium ms.author: dansimp --- -# Cortana integration in your business or enterprise -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +# Configure Cortana in Windows 10 ## Who is Cortana? -Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. -Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. -Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. +Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more. -![Cortana at work, showing the About me screen](../images/cortana-about-me.png) +:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example"::: ## Where is Cortana available for use in my organization? -You can use Cortana at work in all countries/regions where Cortana is supported for consumers. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, she will also become available to enterprise customers. -Cortana is available on Windows 10, version 1703 and with limited functionality on Windows 10 Mobile, version 1703. +Your employees can use Cortana in the languages listed [here](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). However, most productivity skills are currently only enabled for English (United States), for users with mailboxes in the United States. + +The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store update to support languages other than English (United States). ## Required hardware and software -Cortana requires the following hardware and software to successfully run the included scenario in your organization. -|Hardware |Description | -|---------|------------| -|Microphone |For speech interaction with Cortana. If you don't have a microphone, you can still interact with Cortana by typing in the Cortana Search Box in the taskbar. | -|Windows Phone |For location-specific reminders. You can also use a desktop device to run through this scenario, but location accuracy is usually better on phones. | -|Desktop devices |For non-phone-related scenarios. | +Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization. +>[!NOTE] +>A microphone isn't required to use Cortana. -|Software |Minimum version | -|---------|------------| -|Client operating system |
      • **Desktop:** Windows 10, version 1703
      • **Mobile:** Windows 10 Mobile, version 1703 (with limited functionality)
        • | -|Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isn’t required. | -|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.

        For example:

        If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.

        If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. | -|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)

        If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.| +|**Software** |**Minimum version** | +|---------|---------| +|Client operating system | Desktop:
        - Windows 10, version 2004 (recommended)

        - Windows 10, version 1703 (legacy version of Cortana)

        Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)

        For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview#how-is-my-data-processed-by-cortana) below. | +|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. | +|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. | ## Signing in using Azure AD -Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx) -## Cortana and privacy -We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](https://windows.microsoft.com/windows-10/cortana-privacy-faq) topic. +Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but will not be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](https://docs.microsoft.com/azure/active-directory/) + +## How is my data processed by Cortana? + +Cortana's approach to integration with Microsoft 365 has changed with Windows 10, version 2004 and later. + +### Cortana in Windows 10, version 2004 and later + +Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365). + +#### How does Microsoft store, retain, process, and use Customer Data in Cortana? + +The table below describes the data handling for Cortana enterprise services. + + +|**Name** |**Description** | +|---------|---------| +|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio is not retained. | +|**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. | +|**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio is not retained. | +|**Processing and confidentiality** |Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. | +|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data is not used to target advertising. | + +#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening? + +>[!NOTE] +>The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. You can still click on the microphone button to use your voice with Cortana. + +Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected. + +First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](https://docs.microsoft.com/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard. + +The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. + +:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: + +At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. + +If all three wake word detectors agree, the Cortana canvas will show what speech has been recognized. + +### Cortana in Windows 10, versions 1909 and earlier + +Cortana in Windows 10, versions 1909 and earlier, isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana in Windows 10, version 1909 and earlier, treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419). Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). ## See also + - [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818) - -- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10) - -- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 0122fb2eb7..1729809a44 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -13,34 +13,40 @@ manager: dansimp --- # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization -**Applies to:** - -- Windows 10 -- Windows 10 Mobile >[!NOTE] ->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=717381). - -|Group policy |MDM policy |Description | -|-------------|-----------|------------| -|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

        **Note**
        This setting only applies to Windows 10 for desktop devices. | -|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.

        **In Windows 10, version 1511**
        Cortana won’t work if this setting is turned off (disabled).

        **In Windows 10, version 1607 and later**
        Cortana still works if this setting is turned off (disabled).| -|None|System/AllowLocation|Specifies whether to allow app access to the Location service.

        **In Windows 10, version 1511**
        Cortana won’t work if this setting is turned off (disabled).

        **In Windows 10, version 1607 and later**
        Cortana still works if this setting is turned off (disabled).| -|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

        Use this setting if you only want to support Azure AD in your organization.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.

        **Note**
        This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. | -|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.

        **In Windows 10 Pro edition**
        This setting can’t be managed.

        **In Windows 10 Enterprise edition**
        Cortana won't work if this setting is turned off (disabled).| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.

        **Important**
        Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.| - - - - - - - - - - +>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics. +|**Group policy** |**MDM policy** |**Description** | +|---------|---------|---------| +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
        +> [!IMPORTANT] +> Cortana won’t work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. | +|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
        +> [!NOTE] +> Cortana in Windows 10, versions 2004 and later do not currently support Above Lock. | +|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”).
        +> [!NOTE] +> This setting only applies to Windows 10 versions 2004 and later. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. | +|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortana’s access to the microphone. To do so, specify Cortana’s Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe
        +Users will still be able to type queries to Cortana. | +|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization.
        +**In Windows 10, version 1511**
        Cortana won’t work if this setting is turned off (disabled).
        **In Windows 10, version 1607 and later**
        Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
        **In Windows 10, version 2004 and later**
        Cortana will work, but voice input will be disabled. | +|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
        +**In Windows 10, version 1511**
        Cortana won’t work if this setting is turned off (disabled).
        +**In Windows 10, version 1607 and later**
        +Cortana still works if this setting is turned off (disabled).
        +**In Windows 10, version 2004 and later**
        +Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later do not currently use the Location service. | +|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
        +Disable this setting if you only want to allow users to sign in with their Azure AD account. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders.
        +**In Windows 10, version 2004 and later**
        Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, do not currently use the Location service. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search.
        +**In Windows 10 Pro edition**
        This setting can’t be managed. +**In Windows 10 Enterprise edition**
        Cortana won't work if this setting is turned off (disabled). +**In Windows 10, version 2004 and later**
        This setting no longer affects Cortana. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
        +> [!NOTE] +> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. | \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 1239cdfc7a..6bf6aaf7bd 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -13,10 +13,6 @@ manager: dansimp --- # Set up and test Cortana for Power BI in your organization -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 >[!IMPORTANT] >Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index a7b6e72c12..de5e546244 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -12,49 +12,24 @@ ms.reviewer: manager: dansimp --- -# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook +# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +>[!NOTE] +>The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account. -This scenario turns on Azure AD and let's your employee use Cortana to manage an entry in the notebook. +2. Select the "…" menu and select **Talking to Cortana**. -## Turn on Azure AD -This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account. +3. Toggle **Wake word** to **On** and close Cortana. -1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**. +4. Say **Cortana, what can you do?**. -2. Click your email address. +When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word. - A dialog box appears, showing the associated account info. +:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode"::: -3. Click your email address again, and then click **Sign out**. +Once you finish saying your query, Cortana will open with the result. - This signs out the Microsoft account, letting you continue to add and use the Azure AD account. - -4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request. - -5. Click **Sign-In** and follow the instructions. - -6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com. - - >[!IMPORTANT] - >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it. - -## Use Cortana to manage the notebook content -This process helps you to manage the content Cortana shows in your Notebook. - -1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, scroll down and click **Weather**. - -2. In the **Weather** settings, scroll down to the **Cities your tracking** area, and then click **Add a city**. - -3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**. - - ![Cortana at work, showing the multiple Weather screens](../images/cortana-weather-multipanel.png) - -4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington. - - ![Cortana at work, showing Redmond, WA weather](../images/cortana-redmond-weather.png) +>[!NOTE] +>If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index c58d165771..cd8da63e37 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -12,32 +12,15 @@ ms.reviewer: manager: dansimp --- -# Test scenario 2 - Perform a quick search with Cortana at work +# Test scenario 2 – Perform a Bing search with Cortana -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +1. Select the **Cortana** icon in the taskbar. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +2. Type **What time is it in Hyderabad?**. -This scenario helps you perform a quick search using Cortana, both by typing and through voice commands. +Cortana will respond with the information from Bing. -## Search using Cortana -This process helps you use Cortana at work to perform a quick search. +:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: -1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. - -2. Type *Weather in New York*. - - You should see the weather in New York, New York at the top of the search results. - - ![Cortana at work, showing the weather in New York, New York](../images/cortana-newyork-weather.png) - -## Search with Cortana, by using voice commands -This process helps you to use Cortana at work and voice commands to perform a quick search. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). - -2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago. - - ![Cortana at work, showing the current weather in Chicago, IL](../images/cortana-chicago-weather.png) +>[!NOTE] +>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature). \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index d072cdb5fa..5382e5665c 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -12,77 +12,14 @@ ms.reviewer: manager: dansimp --- -# Test scenario 3 - Set a reminder for a specific location using Cortana at work +# Test scenario 3 - Set a reminder -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**. -This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house. +Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time. ->[!NOTE] ->You can set each reminder location individually as you create the reminders, or you can go into the **About me** screen and add both **Work** and **Home** addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario.

        Additionally, if you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page. +:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder"::: -## Create a reminder for a specific location -This process helps you to create a reminder based on a specific location. - -1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. - -2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**. - - ![Cortana at work, showing the add a reminder screens](../images/cortana-add-reminder.png) - -3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder. - - ![Cortana at work, showing how to add a place to the reminder screens](../images/cortana-place-reminder.png) - -4. Click **Done**. - - >[!NOTE] - >If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the **Favorites list** in Windows Maps. - -5. Choose to be reminded the **Next time you arrive at the location** or on a specific day of the week from the drop-down box. - -6. Take a picture of your receipts and store them locally on your device. - -7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**. - - The photo is stored with the reminder. - - ![Cortana at work, showing the stored image in the reminder screens](../images/cortana-final-reminder.png) - -8. Review the reminder info, and then click **Remind**. - - The reminder is saved and ready to be triggered. - - ![Cortana at work, showing the final reminder](../images/cortana-reminder-pending.png) - -## Create a reminder for a specific location by using voice commands -This process helps you to use Cortana at work and voice commands to create a reminder for a specific location. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). - -2. Say _Remind me to grab my expense report receipts before I leave home_. - - Cortana opens a new reminder task and asks if it sounds good. - - ![Cortana at work, showing the reminder created through voice commands](../images/cortana-reminder-mic.png) - -3. Say _Yes_ so Cortana can save the reminder. - - ![Cortana at work, showing the final reminder created through voice commands](../images/cortana-reminder-pending-mic.png) - -## Edit or archive an existing reminder -This process helps you to edit or archive and existing or completed reminder. - -1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. - - ![Cortana at work, showing the list of pending reminders](../images/cortana-reminder-list.png) - -2. Click the pending reminder you want to edit. - - ![Cortana at work, showing the reminder editing screen](../images/cortana-reminder-edit.png) - -3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**. +:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 4ea208fcfd..1a34778608 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -12,42 +12,16 @@ ms.reviewer: manager: dansimp --- -# Test scenario 4 - Use Cortana at work to find your upcoming meetings +# Test scenario 4 - Use Cortana to find free time on your calendar -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +This scenario helps you find out if a time slot is free on your calendar. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. - -This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally. - ->[!NOTE] ->If you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page. - -## Find out about upcoming meetings -This process helps you find your upcoming meetings. - -1. Check to make sure your work calendar is connected and synchronized with your Azure AD account. +1. Select the **Cortana** icon in the taskbar. 2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. -3. Type _Show me my meetings for tomorrow_. - - You’ll see all your meetings scheduled for the next day. - - ![Cortana at work, showing all upcoming meetings](../images/cortana-meeting-tomorrow.png) - -## Find out about upcoming meetings by using voice commands -This process helps you to use Cortana at work and voice commands to find your upcoming meetings. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box. - -2. Say _Show me what meeting I have at 3pm tomorrow_. - - >[!IMPORTANT] - >Make sure that you have a meeting scheduled for the time you specify here. - - ![Cortana at work, showing the meeting scheduled for 3pm](../images/cortana-meeting-specific-time.png) +3. Type **Am I free at 3 PM tomorrow?** +Cortana will respond with your availability for that time, as well as nearby meetings. +:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index f5efc05577..6312ad8983 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -12,48 +12,14 @@ ms.reviewer: manager: dansimp --- -# Test scenario 5 - Use Cortana to send email to a co-worker +# Test scenario 5 - Test scenario 5 – Find out about a person -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +Cortana can help you quickly look up information about someone or the org chart. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +1. Select the **Cortana** icon in the taskbar. -This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally. +2. Type or select the mic and say, **Who is name of person in your organization's?** -## Send an email to a co-worker -This process helps you to send a quick message to a co-worker from the work address book. +:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization"::: -1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account. - -2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. - -3. Type _Send an email to <contact_name>_. - - Where _<contact_name>_ is the name of someone in your work address book. - -4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**. - - ![Cortana at work, showing the email text](../images/cortana-send-email-coworker.png) - -## Send an email to a co-worker by using voice commands -This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box. - -2. Say _Send an email to <contact_name>_. - - Where _<contact_name>_ is the name of someone in your work address book. - -3. Add your email message by saying, _Hello this is a test email using Cortana at work._ - - The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**. - - ![Cortana at work, showing the email text created from verbal commands](../images/cortana-send-email-coworker-mic.png) - -4. Say _Send it_. - - The email is sent. - - ![Cortana at work, showing the sent email text](../images/cortana-complete-send-email-coworker-mic.png) +Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index f5ffb003b7..b2c7bdd9dd 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -12,38 +12,14 @@ ms.reviewer: manager: dansimp --- -# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email +# Test scenario 6 – Change your language and perform a quick search with Cortana -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). +1. Select the **Cortana** icon in the taskbar. -Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, _I’ll get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. +2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You will be prompted to restart the app. ->[!NOTE] ->The Suggested reminders feature is currently only available in English (en-us). - -**To use Cortana to create Suggested reminders for you** - -1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md). - -2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**. - -3. Make sure the **Contacts, email, calendar, and communication history** option is turned on. - - ![Permissions options for Cortana at work](../images/cortana-communication-history-permissions.png) - -4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**. - - ![Suggested reminders options for Cortana at work](../images/cortana-suggested-reminder-settings.png) - -5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _I’ll finish this project by end of day today_. - -6. After you get the email, click on the Cortana **Home** icon, and scroll to today’s events. - - If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed. - - ![Cortana Home screen with your suggested reminder showing](../images/cortana-suggested-reminder.png) +3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**. +:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index a00867e25b..c10a722ceb 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -14,9 +14,6 @@ manager: dansimp # Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 - >[!IMPORTANT] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 936f8b5788..9ab3b96e22 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -13,26 +13,19 @@ manager: dansimp --- # Testing scenarios using Cortana in your business or organization -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: -- [Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana](cortana-at-work-scenario-1.md) +- [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md) -- [Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md) +- [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md) -- [Set a reminder and have it remind you when you’ve reached a specific location](cortana-at-work-scenario-3.md) +- [Set a reminder](cortana-at-work-scenario-3.md) -- [Search for your upcoming meetings on your work calendar](cortana-at-work-scenario-4.md) +- [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md) -- [Send an email to a co-worker from your work email app](cortana-at-work-scenario-5.md) +- [Find out about a person](cortana-at-work-scenario-5.md) -- [Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) +- [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md) -- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md) - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md) \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 9ae00ff891..1425bcd323 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -13,15 +13,11 @@ manager: dansimp --- # Set up and test custom voice commands in Cortana for your organization -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 - -Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. >[!NOTE] ->For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted). +>This content applies to Cortana in versions 1909 and earlier, but will not be available in future releases. + +Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. ## High-level process Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md new file mode 100644 index 0000000000..14dfdcd3da --- /dev/null +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -0,0 +1,49 @@ +--- +title: Set up and test Cortana in Windows 10, version 2004 and later +ms.reviewer: +manager: dansimp +description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: kwekua +ms.localizationpriority: medium +ms.author: dansimp +--- + +# Set up and test Cortana in Windows 10, version 2004 and later + +## Before you begin + +- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you will need to re-enable it at least for Windows 10, version 2004 and later. +- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](https://docs.microsoft.com/windows/configuration/stop-employees-from-using-microsoft-store). + +## Set up and configure the Bing Answers feature +Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com. + +The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). + +## Configure the Bing Answers feature + +Admins can configure the Cortana in Windows Bing Answers feature for their organizations. As the admin, use the following steps to change the setting for Bing Answers at the tenant/security group level. This setting is enabled by default, so that all users who have Cortana enabled will be able to receive Bing Answers. By default, the Bing Answer feature will be available to your users. + +Users cannot enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows. + +Sign in to the [Office Configuration Admin tool](https://config.office.com/). + +Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below: + +:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example"::: + +## How does Microsoft handle customer data for Bing Answers? + +When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following: + +1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned. + +2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. + +Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization. + +## How the Bing Answer policy configuration is applied +Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md new file mode 100644 index 0000000000..27402c3b61 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -0,0 +1,46 @@ +--- +title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook +description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook + +This scenario turns on Azure AD and lets your employee use Cortana to manage an entry in the notebook. + +## Sign in with your work or school account + +This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account. + +1. Click on the **Cortana** icon in the taskbar, then click the profile picture in the navigation to open Cortana settings. + +2. Click your email address. + +A dialog box appears, showing the associated account info. + +3. Click **Sign out** under your email address. + +This signs out the Microsoft account, letting you continue to add your work or school account. + +4. Open Cortana again and select the **Sign in** glyph in the left rail and follow the instructions to sign in with your work or school account. + +## Use Cortana to manage the notebook content + +This process helps you to manage the content Cortana shows in your Notebook. + +1. Select the **Cortana** icon in the taskbar, click **Notebook**, select **Manage Skills.** Scroll down and click **Weather**. + +2. In the **Weather** settings, scroll down to the **Cities you're tracking** area, and then click **Add a city**. + +3. Add **Redmond, Washington**. + +> [!IMPORTANT] +> The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md new file mode 100644 index 0000000000..caf24e5f85 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -0,0 +1,38 @@ +--- +title: Test scenario 2 - Perform a quick search with Cortana at work +description: A test scenario about how to perform a quick search with Cortana at work. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 2 – Perform a quick search with Cortana at work + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you perform a quick search using Cortana, both by typing and through voice commands. + +## Search using Cortana + +1. Click on the Cortana icon in the taskbar, and then click in the Search bar. + +2. Type **Type Weather in New York**. + +You should see the weather in New York, New York at the top of the search results. +Insert screenshot + +## Search with Cortana, by using voice commands + +This process helps you to use Cortana at work and voice commands to perform a quick search. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box). + +2. Say **What's the weather in Chicago?** Cortana tells you and shows you the current weather in Chicago. +Insert screenshot \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md new file mode 100644 index 0000000000..e348a1cee9 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -0,0 +1,79 @@ +--- +title: Test scenario 3 - Set a reminder for a specific location using Cortana at work +description: A test scenario about how to set up, review, and edit a reminder based on a location. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 3 - Set a reminder for a specific location using Cortana at work + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house. + +>[!Note] +>You can set each reminder location individually as you create the reminders, or you can go into the About me screen and add both Work and Home addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario. + +Additionally, if you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page. + +## Create a reminder for a specific location + +This process helps you to create a reminder based on a specific location. + +1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. + +2. Click the **+** sign, add a subject for your reminder, such as **Remember to file expense report receipts**, and then click **Place**. + +3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder. + +4. Click **Done**. + +>[!Note] +>If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the Favorites list in Windows Maps. + +5. Choose to be reminded the Next time you arrive at the location or on a specific day of the week from the drop-down box. + +6. Take a picture of your receipts and store them locally on your device. + +7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**. + +The photo is stored with the reminder. + +Insert screenshot 6 + +8. Review the reminder info, and then click **Remind**. + +The reminder is saved and ready to be triggered. +Insert screenshot + +## Create a reminder for a specific location by using voice commands + +This process helps you to use Cortana at work and voice commands to create a reminder for a specific location. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone* icon (to the right of the Search box). + +2. Say **Remind me to grab my expense report receipts before I leave home**. + +Cortana opens a new reminder task and asks if it sounds good. +insert screenshot + +3. Say **Yes** so Cortana can save the reminder. +insert screenshot + +## Edit or archive an existing reminder + +This process helps you to edit or archive and existing or completed reminder. + +1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. + +2. Click the pending reminder you want to edit. + +3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click Save to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md new file mode 100644 index 0000000000..a0ea0e6332 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -0,0 +1,52 @@ +--- +title: Use Cortana at work to find your upcoming meetings (Windows 10) +description: A test scenario about how to use Cortana at work to find your upcoming meetings. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 4 - Use Cortana at work to find your upcoming meetings + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally. + +>[!Note] +>If you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page. + +## Find out about upcoming meetings + +This process helps you find your upcoming meetings. + +1. Check to make sure your work calendar is connected and synchronized with your Azure AD account. + +2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. + +3. Type **Show me my meetings for tomorrow**. + +You’ll see all your meetings scheduled for the next day. + +Cortana at work, showing all upcoming meetings +screenshot + +## Find out about upcoming meetings by using voice commands + +This process helps you to use Cortana at work and voice commands to find your upcoming meetings. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box. + +2. Say **Show me what meeting I have at 3pm tomorrow**. + +>[!Important] +>Make sure that you have a meeting scheduled for the time you specify here. + +Cortana at work, showing the meeting scheduled for 3pm +screenshot \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md new file mode 100644 index 0000000000..ec1cb06e32 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -0,0 +1,61 @@ +--- +title: Use Cortana to send email to a co-worker (Windows 10) +description: A test scenario about how to use Cortana at work to send email to a co-worker. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 5 - Use Cortana to send email to a co-worker + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally. + +## Send email to a co-worker + +This process helps you to send a quick message to a co-worker from the work address book. + +1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account. + +2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. + +3. Type **Send an email to **. + +Where is the name of someone in your work address book. + +4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**. + +Cortana at work, showing the email text +screenshot + +## Send an email to a co-worker by using voice commands + +This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box. + +2. Say **Send an email** to . + +Where is the name of someone in your work address book. + +3. Add your email message by saying, **Hello this is a test email using Cortana at work**. + +The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**. + +Cortana at work, showing the email text created from verbal commands +screenshot + +4. Say **Send it**. + +The email is sent. + +Cortana at work, showing the sent email text +screenshot \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md new file mode 100644 index 0000000000..cd22204b99 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -0,0 +1,48 @@ +--- +title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email +description: A test scenario about how to use Cortana with the Suggested reminders feature. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). + +Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, I’ll get this to you by the end of the week in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. + +>[!Important] +>The Suggested reminders feature is currently only available in English (en-us). + +## Use Cortana to create suggested reminders for you + +1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-o365). + +2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**. + +3. Make sure the **Contacts**, **email**, **calendar**, and **communication history** option is turned on. + +Permissions options for Cortana at work +screenshot + +4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**. + +Suggested reminders options for Cortana at work +screenshot + +5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, **I’ll finish this project by end of day today**. + +6. After you get the email, click on the Cortana **Home** icon, and scroll to today’s events. + +If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed. + +Cortana Home screen with your suggested reminder showing +screenshot \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md new file mode 100644 index 0000000000..01bd26ace5 --- /dev/null +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -0,0 +1,25 @@ +--- +title: Testing scenarios using Cortana in your business or organization +description: A list of suggested testing scenarios that you can use to test Cortana in your organization. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Testing scenarios using Cortana in your business or organization + +We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: + +- [Sign in with your work or school account and use Cortana to manage the notebook](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-1) +- [Perform a quick search with Cortana at work](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-2) +- [Set a reminder for a specific location using Cortana at work](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-3) +- [Use Cortana at work to find your upcoming meetings](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-4) +- [Use Cortana to send email to a co-worker](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-5) +- [Review a reminder suggested by Cortana based on what you've promised in email](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-6) +- [Use Cortana and Windows Information Protection (WIP) to help protect your organization's data on a device](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-7) \ No newline at end of file diff --git a/windows/configuration/images/Shared_PC_1.png b/windows/configuration/images/Shared_PC_1.png new file mode 100644 index 0000000000..bf145f6c19 Binary files /dev/null and b/windows/configuration/images/Shared_PC_1.png differ diff --git a/windows/configuration/images/Shared_PC_2.png b/windows/configuration/images/Shared_PC_2.png new file mode 100644 index 0000000000..c9d2362634 Binary files /dev/null and b/windows/configuration/images/Shared_PC_2.png differ diff --git a/windows/configuration/images/Shared_PC_3.png b/windows/configuration/images/Shared_PC_3.png new file mode 100644 index 0000000000..83b3a66fc8 Binary files /dev/null and b/windows/configuration/images/Shared_PC_3.png differ diff --git a/windows/configuration/images/sccm-asset.PNG b/windows/configuration/images/configmgr-asset.PNG similarity index 100% rename from windows/configuration/images/sccm-asset.PNG rename to windows/configuration/images/configmgr-asset.PNG diff --git a/windows/configuration/images/sccm-assets.PNG b/windows/configuration/images/configmgr-assets.PNG similarity index 100% rename from windows/configuration/images/sccm-assets.PNG rename to windows/configuration/images/configmgr-assets.PNG diff --git a/windows/configuration/images/sccm-client.PNG b/windows/configuration/images/configmgr-client.PNG similarity index 100% rename from windows/configuration/images/sccm-client.PNG rename to windows/configuration/images/configmgr-client.PNG diff --git a/windows/configuration/images/sccm-collection.PNG b/windows/configuration/images/configmgr-collection.PNG similarity index 100% rename from windows/configuration/images/sccm-collection.PNG rename to windows/configuration/images/configmgr-collection.PNG diff --git a/windows/configuration/images/sccm-install-os.PNG b/windows/configuration/images/configmgr-install-os.PNG similarity index 100% rename from windows/configuration/images/sccm-install-os.PNG rename to windows/configuration/images/configmgr-install-os.PNG diff --git a/windows/configuration/images/sccm-post-refresh.PNG b/windows/configuration/images/configmgr-post-refresh.PNG similarity index 100% rename from windows/configuration/images/sccm-post-refresh.PNG rename to windows/configuration/images/configmgr-post-refresh.PNG diff --git a/windows/configuration/images/sccm-pxe.PNG b/windows/configuration/images/configmgr-pxe.PNG similarity index 100% rename from windows/configuration/images/sccm-pxe.PNG rename to windows/configuration/images/configmgr-pxe.PNG diff --git a/windows/configuration/images/sccm-site.PNG b/windows/configuration/images/configmgr-site.PNG similarity index 100% rename from windows/configuration/images/sccm-site.PNG rename to windows/configuration/images/configmgr-site.PNG diff --git a/windows/configuration/images/sccm-software-cntr.PNG b/windows/configuration/images/configmgr-software-cntr.PNG similarity index 100% rename from windows/configuration/images/sccm-software-cntr.PNG rename to windows/configuration/images/configmgr-software-cntr.PNG diff --git a/windows/configuration/index.md b/windows/configuration/index.md index ca42852107..6d72ff398f 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -1,6 +1,6 @@ --- title: Configure Windows 10 (Windows 10) -description: Learn about configuring Windows 10. +description: Apply custom accessibility configurations to devices for their users using the all the features and methods available with Windows 10. keywords: Windows 10, MDM, WSUS, Windows update ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 327042ee5c..43317581df 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -20,10 +20,7 @@ ms.topic: article **Applies to** - Windows 10 Ent, Edu ->[!WARNING] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, version 1809 and earlier, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in the next feature update to Windows 10, you can also specify a UWP app as the replacement shell. +Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update. >[!NOTE] >Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index ea34adf834..34b8124fa2 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -1,6 +1,6 @@ --- title: Validate kiosk configuration (Windows 10) -description: This topic explains what to expect on a multi-app kiosk. +description: Learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index c9d6d3b2c0..f09e5ee991 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -1,6 +1,6 @@ --- title: Assigned Access configuration kiosk XML reference (Windows 10) -description: XML and XSD for kiosk device configuration. +description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: manager: dansimp diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index b69a8c78e1..3de98a5454 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -27,7 +27,7 @@ In Windows 10, version 1703, you can install multiple Universal Windows Platform When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). >[!IMPORTANT] ->If you plan to use Intune to manage your devices, we recommend using Intune to install Office 365 ProPlus 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Office 365 ProPlus). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Office 365 ProPlus 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365) +>If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Microsoft 365 Apps for enterprise). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Microsoft 365 Apps for enterprise 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365) ## Settings for UWP apps diff --git a/windows/configuration/screenshot1.png b/windows/configuration/screenshot1.png new file mode 100644 index 0000000000..ed62740e92 Binary files /dev/null and b/windows/configuration/screenshot1.png differ diff --git a/windows/configuration/screenshot10.png b/windows/configuration/screenshot10.png new file mode 100644 index 0000000000..5cb1567235 Binary files /dev/null and b/windows/configuration/screenshot10.png differ diff --git a/windows/configuration/screenshot11.png b/windows/configuration/screenshot11.png new file mode 100644 index 0000000000..0ce852ebaa Binary files /dev/null and b/windows/configuration/screenshot11.png differ diff --git a/windows/configuration/screenshot12.png b/windows/configuration/screenshot12.png new file mode 100644 index 0000000000..cd85d80c7e Binary files /dev/null and b/windows/configuration/screenshot12.png differ diff --git a/windows/configuration/screenshot2.png b/windows/configuration/screenshot2.png new file mode 100644 index 0000000000..fb7995600e Binary files /dev/null and b/windows/configuration/screenshot2.png differ diff --git a/windows/configuration/screenshot3.png b/windows/configuration/screenshot3.png new file mode 100644 index 0000000000..07e01661c5 Binary files /dev/null and b/windows/configuration/screenshot3.png differ diff --git a/windows/configuration/screenshot4.png b/windows/configuration/screenshot4.png new file mode 100644 index 0000000000..ab1f083c71 Binary files /dev/null and b/windows/configuration/screenshot4.png differ diff --git a/windows/configuration/screenshot5.png b/windows/configuration/screenshot5.png new file mode 100644 index 0000000000..0ec6fda3a7 Binary files /dev/null and b/windows/configuration/screenshot5.png differ diff --git a/windows/configuration/screenshot6.png b/windows/configuration/screenshot6.png new file mode 100644 index 0000000000..2f3284ee77 Binary files /dev/null and b/windows/configuration/screenshot6.png differ diff --git a/windows/configuration/screenshot7.png b/windows/configuration/screenshot7.png new file mode 100644 index 0000000000..e3d80a3ac9 Binary files /dev/null and b/windows/configuration/screenshot7.png differ diff --git a/windows/configuration/screenshot8.png b/windows/configuration/screenshot8.png new file mode 100644 index 0000000000..f85eaffdff Binary files /dev/null and b/windows/configuration/screenshot8.png differ diff --git a/windows/configuration/screenshot9.png b/windows/configuration/screenshot9.png new file mode 100644 index 0000000000..f617991a63 Binary files /dev/null and b/windows/configuration/screenshot9.png differ diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 95cf9806b1..289a37a0b6 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -58,7 +58,7 @@ Apps can take advantage of shared PC mode with the following three APIs: ### Customization -Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table. +Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring Shared PC mode for Windows](#configuring-shared-pc-mode-for-windows). The options are listed in the following table. | Setting | Value | |:---|:---| @@ -80,16 +80,33 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | [Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. +## Configuring Shared PC mode for Windows -## Configuring shared PC mode on Windows You can configure Windows to be in shared PC mode in a couple different ways: -- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) -![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) +- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: -- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**. + 1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home). + 2. Select **Devices** from the navigation. + 3. Under **Policy**, select **Configuration profiles**. + 4. Select **Create profile**. + 5. From the **Platform** menu, select **Windows 10 and later**. + 6. From the **Profile** menu, select **Shared multi-user device**. -![Shared PC settings in ICD](images/icd-adv-shared-pc.png) + ![custom OMA-URI policy in Intune](images/Shared_PC_1.png) + + 7. Select **Create**. + 8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so. + 9. Select **Next**. + 10. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. + + ![Shared PC settings in ICD](images/Shared_PC_3.png) + + 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. + +- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. + + ![Shared PC settings in ICD](images/icd-adv-shared-pc.PNG) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 0f0d1cd783..e665d37ba5 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -78,14 +78,14 @@ You can also use Group Policy to manage access to Microsoft Store. 1. Type gpedit in the search bar to find and start Group Policy Editor. -2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**. +2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, and then click **Store**. -3. In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**. +3. In the Setting pane, click **Turn off the Store application**, and then click **Edit policy setting**. -4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**. +4. On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**. > [!Important] -> Enabling **Turn off Store application** policy turns off app updates from Microsoft Store. +> Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store. ## Block Microsoft Store using management tool diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index f3d37601d0..d61075e1bd 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -1,6 +1,6 @@ --- title: User Experience Virtualization (UE-V) Release Notes -description: User Experience Virtualization (UE-V) Release Notes +description: Read the latest information required to successfully install and use UE-V that is not included in the User Experience Virtualization (UE-V) documentation. author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md index 1ffb99a964..9683bd771d 100644 --- a/windows/configuration/ue-v/uev-troubleshooting.md +++ b/windows/configuration/ue-v/uev-troubleshooting.md @@ -1,6 +1,6 @@ --- title: Troubleshooting UE-V -description: Troubleshooting UE-V +description: Find resources for troubleshooting UE-V for Windows 10. author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md index bead7186c8..d726744568 100644 --- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md +++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md @@ -1,6 +1,6 @@ --- title: Upgrade to UE-V for Windows 10 -description: Explains how to upgrade to the latest version of UE-V. +description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V. author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy @@ -30,7 +30,8 @@ If you’re already using UE-V 2.x and you’re planning to upgrade user devices 5. Install the UE-V template generator if you want to synchronize application settings for custom applications. -> **Important**  You can upgrade your existing UE-V installation to Windows 10, version 1607 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10, version 1607.. +> [!IMPORTANT] +> You can upgrade your existing UE-V installation to Windows 10, version 1607 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10, version 1607. ## Upgrade user devices to Windows 10, version 1607 @@ -38,7 +39,7 @@ Performing an in-place upgrade on user devices automatically installs the UE-V s ## Verify that UE-V settings were migrated correctly -After upgrading a user device to Windows 10, version 1607, it’s important to verify that UE-V settings and template registrations were migrated correctly during the upgrade. You can verify UE-V settings using Windows Powershell or the device’s registry. +After upgrading a user device to Windows 10, version 1607, it’s important to verify that UE-V settings and template registrations were migrated correctly during the upgrade. You can verify UE-V settings using Windows PowerShell or the device’s registry. **To verify UE-V settings using Windows PowerShell** @@ -48,7 +49,8 @@ After upgrading a user device to Windows 10, version 1607, it’s important to v 3. Type **Get-UEVTemplate** and press ENTER to check that your templates are still registered. - > **Note** You’ll need to register the NotePad template again after you upgrade the device to Windows 10. + > [!NOTE] + > You’ll need to register the NotePad template again after you upgrade the device to Windows 10. **To verify UE-V settings using the device’s registry** @@ -68,7 +70,8 @@ The UE-V service is the client-side component that captures user-personalized ap With Windows 10, version 1607 and later, the UE-V service replaces the UE-V Agent and no longer requires a separate download and installation. Enable the service on user devices to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell. -> **Important**  The UE-V Agent used in prior releases of UE-V is replaced with the UE service. The UE-V service included with Windows 10, version 1607 and later releases, does not include the agent user interface and is configurable through cmdlets or registry settings only. +> [!IMPORTANT] +> The UE-V Agent used in prior releases of UE-V is replaced with the UE service. The UE-V service included with Windows 10, version 1607 and later releases, does not include the agent user interface and is configurable through cmdlets or registry settings only. **To enable the UE-V service with Group Policy** diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index d2e019723d..8b68977b69 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -1,6 +1,6 @@ --- title: Using UE-V with Application Virtualization applications -description: Using UE-V with Application Virtualization applications +description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V). author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index a2663f503d..0a5cc1a242 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -1,6 +1,6 @@ --- title: Working with Custom UE-V Templates and the UE-V Template Generator -description: Working with Custom UE-V Templates and the UE-V Template Generator +description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy @@ -98,9 +98,8 @@ Use the UE-V template generator to edit settings location templates. When the re 1. Create a local copy of the settings location template .xml file. UE-V settings location templates are .xml files that identify the locations where application store settings values. - >**Note**   - A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template. - + > [!NOTE] + > A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template. 2. Open the settings location template file with an XML editor. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md deleted file mode 100644 index 840988926d..0000000000 --- a/windows/deployment/TOC.md +++ /dev/null @@ -1,275 +0,0 @@ -# [Deploy and update Windows 10](https://docs.microsoft.com/windows/deployment) -## [Deployment process posters](windows-10-deployment-posters.md) -## [Deploy Windows 10 with Microsoft 365](deploy-m365.md) -## [What's new in Windows 10 deployment](deploy-whats-new.md) -## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -## [Windows Autopilot](windows-autopilot/windows-autopilot.md) - -## Subscription Activation -### [Windows 10 Subscription Activation](windows-10-subscription-activation.md) -### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) -### [Configure VDA for Subscription Activation](vda-subscription-activation.md) -### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) - -## Resolve upgrade errors -### [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) -### [Quick fixes](upgrade\quick-fixes.md) -### [SetupDiag](upgrade/setupdiag.md) -### [Troubleshooting upgrade errors](upgrade/troubleshoot-upgrade-errors.md) -### [Windows error reporting](upgrade/windows-error-reporting.md) -### [Upgrade error codes](upgrade/upgrade-error-codes.md) -### [Log files](upgrade/log-files.md) -### [Resolution procedures](upgrade/resolution-procedures.md) -### [Submit Windows 10 upgrade errors](upgrade/submit-errors.md) - -## Deploy Windows 10 -### [Deploying Windows 10](deploy.md) - -### [Windows Autopilot](windows-autopilot/windows-autopilot.md) -### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) -### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) -### [Windows 10 volume license media](windows-10-media.md) - -### [Windows 10 in S mode](s-mode.md) -#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md) - -### [Windows 10 deployment test lab](windows-10-poc.md) -#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) -#### [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) - -### [Plan for Windows 10 deployment](planning/index.md) -#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md) -#### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -#### [Windows 10 compatibility](planning/windows-10-compatibility.md) -#### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md) - -#### [Volume Activation [client]](volume-activation/volume-activation-windows-10.md) -##### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md) -##### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md) -##### [Activate using Active Directory-based activation [client]](volume-activation/activate-using-active-directory-based-activation-client.md) -##### [Activate clients running Windows 10](volume-activation/activate-windows-10-clients-vamt.md) -##### [Monitor activation [client]](volume-activation/monitor-activation-client.md) -##### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md) -##### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md) - -#### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md) -##### [SUA User's Guide](planning/sua-users-guide.md) -###### [Using the SUA Wizard](planning/using-the-sua-wizard.md) -###### [Using the SUA Tool](planning/using-the-sua-tool.md) -####### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md) -####### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md) -####### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md) -####### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md) -##### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md) -###### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md) -####### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md) -####### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md) -####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) -####### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md) -####### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md) -####### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md) -####### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md) -####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) -####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) -###### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md) -####### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md) -####### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md) -####### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md) -###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md) -##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) - - -### Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT) -#### [Get started with MDT](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md) - -#### Deploy Windows 10 with MDT -##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -##### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) -##### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md) -##### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md) -##### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md) -##### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md) -##### [Perform an in-place upgrade to Windows 10 with MDT](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - -#### Customize MDT -##### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md) -##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md) -##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md) -##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md) -##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md) -##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md) -##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md) -##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md) -##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md) - -### Deploy Windows 10 with Microsoft Endpoint Configuration Manager -#### Prepare for Windows 10 deployment with Configuration Manager -##### [Prepare for Zero Touch Installation with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -##### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) -##### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md) -##### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) -##### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) -##### [Create a task sequence with Configuration Manager and MDT](deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md) -##### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) - -#### Deploy Windows 10 with Configuration Manager -##### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md) -##### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) -##### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) -##### [Perform an in-place upgrade to Windows 10 using Configuration Manager](deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) - -### [Windows 10 deployment tools](windows-10-deployment-tools.md) - -#### [Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) -#### [Convert MBR partition to GPT](mbr-to-gpt.md) -#### [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) -#### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) - -#### [Deploy Windows To Go in your organization](deploy-windows-to-go.md) -##### [Windows To Go: feature overview](planning/windows-to-go-overview.md) -###### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md) -###### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md) -###### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) -###### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md) -###### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md) - -#### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -##### [Introduction to VAMT](volume-activation/introduction-vamt.md) -##### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md) -##### [Install and Configure VAMT](volume-activation/install-configure-vamt.md) -###### [VAMT Requirements](volume-activation/vamt-requirements.md) -###### [Install VAMT](volume-activation/install-vamt.md) -###### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md) -##### [Add and Manage Products](volume-activation/add-manage-products-vamt.md) -###### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md) -###### [Update Product Status](volume-activation/update-product-status-vamt.md) -###### [Remove Products](volume-activation/remove-products-vamt.md) -##### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md) -###### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md) -###### [Install a Product Key](volume-activation/install-product-key-vamt.md) -###### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md) -##### [Manage Activations](volume-activation/manage-activations-vamt.md) -###### [Perform Online Activation](volume-activation/online-activation-vamt.md) -###### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md) -###### [Perform KMS Activation](volume-activation/kms-activation-vamt.md) -###### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md) -###### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md) -###### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md) -##### [Manage VAMT Data](volume-activation/manage-vamt-data.md) -###### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md) -###### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md) -##### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md) -###### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md) -###### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md) -###### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md) -##### [VAMT Known Issues](volume-activation/vamt-known-issues.md) -#### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) -##### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md) -###### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md) -###### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md) -###### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md) -##### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md) -###### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md) -###### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md) -###### [Include Files and Settings](usmt/usmt-include-files-and-settings.md) -###### [Migrate Application Settings](usmt/migrate-application-settings.md) -###### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md) -###### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md) -###### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md) -###### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md) -##### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md) -###### [Common Issues](usmt/usmt-common-issues.md) -###### [Frequently Asked Questions](usmt/usmt-faq.md) -###### [Log Files](usmt/usmt-log-files.md) -###### [Return Codes](usmt/usmt-return-codes.md) -###### [USMT Resources](usmt/usmt-resources.md) -##### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md) -###### [USMT Requirements](usmt/usmt-requirements.md) -###### [USMT Best Practices](usmt/usmt-best-practices.md) -###### [How USMT Works](usmt/usmt-how-it-works.md) -###### [Plan Your Migration](usmt/usmt-plan-your-migration.md) -####### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md) -####### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md) -####### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md) -######## [Migration Store Types Overview](usmt/migration-store-types-overview.md) -######## [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md) -######## [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md) -######## [Migration Store Encryption](usmt/usmt-migration-store-encryption.md) -####### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md) -######## [Identify Users](usmt/usmt-identify-users.md) -######## [Identify Applications Settings](usmt/usmt-identify-application-settings.md) -######## [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md) -######## [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md) -####### [Test Your Migration](usmt/usmt-test-your-migration.md) -###### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md) -####### [ScanState Syntax](usmt/usmt-scanstate-syntax.md) -####### [LoadState Syntax](usmt/usmt-loadstate-syntax.md) -####### [UsmtUtils Syntax](usmt/usmt-utilities.md) -###### [USMT XML Reference](usmt/usmt-xml-reference.md) -####### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md) -####### [Config.xml File](usmt/usmt-configxml-file.md) -####### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md) -####### [Custom XML Examples](usmt/usmt-custom-xml-examples.md) -####### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md) -####### [General Conventions](usmt/usmt-general-conventions.md) -####### [XML File Requirements](usmt/xml-file-requirements.md) -####### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md) -####### [XML Elements Library](usmt/usmt-xml-elements-library.md) -###### [Offline Migration Reference](usmt/offline-migration-reference.md) -### [Install fonts in Windows 10](windows-10-missing-fonts.md) - -## Update Windows 10 -### [Update Windows 10 in enterprise deployments](update/index.md) -### Windows as a service -#### [Windows as a service - introduction](update/windows-as-a-service.md) -#### [Quick guide to Windows as a service](update/waas-quick-start.md) -#### [Servicing stack updates](update/servicing-stack-updates.md) -#### [Overview of Windows as a service](update/waas-overview.md) -### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) -### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) -### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) -### Get started -#### [Get started with Windows Update](update/windows-update-overview.md) -#### [How Windows Update works](update/how-windows-update-works.md) -#### [Windows Update log files](update/windows-update-logs.md) -#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md) -#### [Common Windows Update errors](update/windows-update-errors.md) -#### [Windows Update error code reference](update/windows-update-error-reference.md) -#### [Other Windows Update resources](update/windows-update-resources.md) -### Optimize delivery -#### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) -#### [Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) -#### [Set up Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization-setup.md) -#### [Delivery Optimization reference](update/waas-delivery-optimization-reference.md) -#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) -#### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md) -### Monitor Windows Updates -#### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) -#### [Get started with Update Compliance](update/update-compliance-get-started.md) -#### [Use Update Compliance](update/update-compliance-using.md) -##### [Need Attention! report](update/update-compliance-need-attention.md) -##### [Security Update Status report](update/update-compliance-security-update-status.md) -##### [Feature Update Status report](update/update-compliance-feature-update-status.md) -##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md) -##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md) -### Best practices -#### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) -#### [Update Windows 10 media with Dynamic Update](update/media-dynamic-update.md) -#### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) -#### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) -#### [Conclusion](update/feature-update-conclusion.md) -### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) -### Use Windows Update for Business -#### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) -#### [Configure Windows Update for Business](update/waas-configure-wufb.md) -#### [Enforcing compliance deadlines for updates](update/wufb-compliancedeadlines.md) -#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md) -#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md) -#### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) -### Use Windows Server Update Services -#### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md) -#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md) -### [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](update/waas-manage-updates-configuration-manager.md) -### [Manage device restarts after updates](update/waas-restart.md) -### [Manage additional Windows Update settings](update/waas-wu-settings.md) -### [Determine the source of Windows updates](update/windows-update-sources.md) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml new file mode 100644 index 0000000000..20ea156b13 --- /dev/null +++ b/windows/deployment/TOC.yml @@ -0,0 +1,519 @@ +- name: Deploy and update Windows 10 + href: index.yml + items: + - name: Get started + items: + - name: What's new + href: deploy-whats-new.md + - name: Windows 10 deployment scenarios + href: windows-10-deployment-scenarios.md + - name: What is Windows as a service? + href: update/waas-quick-start.md + - name: Windows update fundamentals + href: update/waas-overview.md + - name: Types of Windows updates + href: update/waas-quick-start.md#definitions + - name: Servicing the Windows 10 operating system + href: update/waas-servicing-strategy-windows-10-updates.md + + - name: Deployment proof of concept + items: + - name: Demonstrate Autopilot deployment on a VM + href: windows-autopilot/demonstrate-deployment-on-vm.md + - name: Deploy Windows 10 with MDT and Configuration Manager + items: + - name: 'Step by step guide: Configure a test lab to deploy Windows 10' + href: windows-10-poc.md + - name: Deploy Windows 10 in a test lab using MDT + href: windows-10-poc-mdt.md + - name: Deploy Windows 10 in a test lab using Configuration Manager + href: windows-10-poc-sc-config-mgr.md + - name: Deployment process posters + href: windows-10-deployment-posters.md + + - name: Plan + items: + - name: Create a deployment plan + href: update/create-deployment-plan.md + - name: Define readiness criteria + href: update/plan-define-readiness.md + - name: Evaluate infrastructure and tools + href: update/eval-infra-tools.md + - name: Determine application readiness + href: update/plan-determine-app-readiness.md + - name: Define your servicing strategy + href: update/waas-servicing-strategy-windows-10-updates.md + - name: Best practices for feature updates on mission-critical devices + href: update/feature-update-mission-critical.md + - name: Windows 10 deployment considerations + href: planning/windows-10-deployment-considerations.md + - name: Windows 10 infrastructure requirements + href: planning/windows-10-infrastructure-requirements.md + - name: Plan for volume activation + href: volume-activation/plan-for-volume-activation-client.md + - name: Features removed or planned for replacement + items: + - name: Windows 10 features lifecycle + href: planning/features-lifecycle.md + - name: Features we're no longer developing + href: planning/windows-10-deprecated-features.md + - name: Features we removed + href: planning/windows-10-removed-features.md + + - name: Prepare + items: + - name: Prepare to deploy Windows 10 + href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md + - name: Evaluate and update infrastructure + href: update/update-policies.md + - name: Set up Delivery Optimization for Windows 10 updates + href: update/waas-delivery-optimization-setup.md + - name: Configure BranchCache for Windows 10 updates + href: update/waas-branchcache.md + - name: Prepare your deployment tools + items: + - name: Register devices for deployment with Windows Autopilot + href: windows-autopilot/add-devices.md + - name: Prepare for deployment with MDT + href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md + - name: Prepare for deployment with Configuration Manager + href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md + - name: Build a successful servicing strategy + items: + - name: Build deployment rings for Windows 10 updates + href: update/waas-deployment-rings-windows-10-updates.md + - name: Prepare updates using Windows Update for Business + href: update/waas-manage-updates-wufb.md + - name: Prepare updates using WSUS + href: update/waas-manage-updates-wsus.md + + - name: Deploy + items: + - name: Deploy Windows 10 + items: + - name: Deploy Windows 10 with Autopilot + href: windows-autopilot/windows-autopilot-scenarios.md + - name: Deploy Windows 10 with Configuration Manager + items: + - name: Deploy to a new device + href: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md + - name: Refresh a device + href: deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md + - name: Replace a device + href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md + - name: In-place upgrade + href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md + - name: Deploy Windows 10 with MDT + items: + - name: Deploy to a new device + href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md + - name: Refresh a device + href: deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md + - name: Replace a device + href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md + - name: In-place upgrade + href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md + - name: Subscription Activation + items: + - name: Windows 10 Subscription Activation + href: windows-10-subscription-activation.md + - name: Windows 10 Enterprise E3 in CSP + href: windows-10-enterprise-e3-overview.md + - name: Configure VDA for Subscription Activation + href: vda-subscription-activation.md + - name: Deploy Windows 10 Enterprise licenses + href: deploy-enterprise-licenses.md + - name: Deploy Windows 10 updates + items: + - name: Assign devices to servicing channels + href: update/waas-servicing-channels-windows-10-updates.md + - name: Deploy updates with Configuration Manager + href: update/deploy-updates-configmgr.md + - name: Deploy updates with Intune + href: update/deploy-updates-intune.md + - name: Deploy updates with WSUS + href: update/waas-manage-updates-wsus.md + - name: Deploy updates with Group Policy + href: update/waas-wufb-group-policy.md + - name: Update Windows 10 media with Dynamic Update + href: update/media-dynamic-update.md + - name: Manage the Windows 10 update experience + items: + - name: Manage device restarts after updates + href: update/waas-restart.md + - name: Manage additional Windows Update settings + href: update/waas-wu-settings.md + - name: Deploy feature updates during maintenance windows + href: update/feature-update-maintenance-window.md + - name: Deploy feature updates for user-initiated installations + href: update/feature-update-user-install.md + - name: Use Windows Update for Business + items: + - name: What is Windows Update for Business? + href: update/waas-manage-updates-wufb.md + - name: Configure Windows Update for Business + href: update/waas-configure-wufb.md + - name: Enforcing compliance deadlines for updates + href: update/wufb-compliancedeadlines.md + - name: Integrate Windows Update for Business with management solutions + href: update/waas-integrate-wufb.md + - name: 'Walkthrough: use Group Policy to configure Windows Update for Business' + href: update/waas-wufb-group-policy.md + - name: 'Walkthrough: use Intune to configure Windows Update for Business' + href: update/deploy-updates-intune.md + - name: Monitor Windows 10 updates + items: + - name: Monitor Delivery Optimization + href: update/waas-delivery-optimization-setup.md#monitor-delivery-optimization + - name: Monitor Windows Updates with Update Compliance + items: + - name: Get started + items: + - name: Get started with Update Compliance + href: update/update-compliance-get-started.md + - name: Update Compliance configuration script + href: update/update-compliance-configuration-script.md + - name: Manually configuring devices for Update Compliance + href: update/update-compliance-configuration-manual.md + - name: Update Compliance monitoring + items: + - name: Use Update Compliance + href: update/update-compliance-using.md + - name: Need attention report + href: update/update-compliance-need-attention.md + - name: Security update status report + href: update/update-compliance-security-update-status.md + - name: Feature update status report + href: update/update-compliance-feature-update-status.md + - name: Delivery Optimization in Update Compliance + href: update/update-compliance-delivery-optimization.md + - name: Data handling and privacy in Update Compliance + href: update/update-compliance-privacy.md + - name: Update Compliance schema reference + items: + - name: WaaSUpdateStatus + href: update/update-compliance-schema-waasupdatestatus.md + - name: WaaSInsiderStatus + href: update/update-compliance-schema-waasinsiderstatus.md + - name: WaaSDepoymentStatus + href: update/update-compliance-schema-waasdeploymentstatus.md + - name: WUDOStatus + href: update/update-compliance-schema-wudostatus.md + - name: WUDOAggregatedStatus + href: update/update-compliance-schema-wudoaggregatedstatus.md + - name: Troubleshooting + items: + - name: Resolve upgrade errors + items: + - name: Resolve Windows 10 upgrade errors + href: upgrade/resolve-windows-10-upgrade-errors.md + - name: Quick fixes + href: upgrade/quick-fixes.md + - name: SetupDiag + href: upgrade/setupdiag.md + - name: Troubleshooting upgrade errors + href: upgrade/troubleshoot-upgrade-errors.md + - name: Windows error reporting + href: upgrade/windows-error-reporting.md + - name: Upgrade error codes + href: upgrade/upgrade-error-codes.md + - name: Log files + href: upgrade/log-files.md + - name: Resolution procedures + href: upgrade/resolution-procedures.md + - name: Submit Windows 10 upgrade errors + href: upgrade/submit-errors.md + - name: Troubleshoot Windows Update + items: + - name: How to troubleshoot Windows Update + href: update/windows-update-troubleshooting.md + - name: Determine the source of Windows Updates + href: update/windows-update-sources.md + - name: Common Windows Update errors + href: update/windows-update-errors.md + - name: Windows Update error code reference + href: update/windows-update-error-reference.md + + - name: Reference + items: + - name: How does Windows Update work? + href: update/how-windows-update-works.md + - name: Understanding the Unified Update Platform + href: update/windows-update-overview.md + - name: Servicing stack updates + href: update/servicing-stack-updates.md + - name: Additional Windows Update settings + href: update/waas-wu-settings.md + - name: Delivery Optimization reference + href: update/waas-delivery-optimization-reference.md + - name: Windows 10 in S mode + href: s-mode.md + - name: Switch to Windows 10 Pro or Enterprise from S mode + href: windows-10-pro-in-s-mode.md + - name: Windows 10 deployment tools + items: + - name: Windows 10 deployment scenarios and tools + items: + - name: Convert MBR partition to GPT + href: mbr-to-gpt.md + - name: Configure a PXE server to load Windows PE + href: configure-a-pxe-server-to-load-windows-pe.md + - name: Windows ADK for Windows 10 scenarios for IT Pros + href: windows-adk-scenarios-for-it-pros.md + - name: Windows To Go + items: + - name: Deploy Windows To Go in your organization + href: deploy-windows-to-go.md + - name: "Windows To Go: feature overview" + href: planning/windows-to-go-overview.md + - name: Best practice recommendations for Windows To Go + href: planning/best-practice-recommendations-for-windows-to-go.md + - name: Deployment considerations for Windows To Go + href: planning/deployment-considerations-for-windows-to-go.md + - name: Prepare your organization for Windows To Go + href: planning/prepare-your-organization-for-windows-to-go.md + - name: Security and data protection considerations for Windows To Go + href: planning/security-and-data-protection-considerations-for-windows-to-go.md + - name: "Windows To Go: frequently asked questions" + href: planning/windows-to-go-frequently-asked-questions.md + + - name: Volume Activation Management Tool (VAMT) technical reference + items: + - name: VAMT technical reference + href: volume-activation/volume-activation-management-tool.md + - name: Introduction to VAMT + href: volume-activation/introduction-vamt.md + - name: Active Directory-Based Activation Overview + href: volume-activation/active-directory-based-activation-overview.md + - name: Install and Configure VAMT + href: volume-activation/install-configure-vamt.md + - name: VAMT Requirements + href: volume-activation/vamt-requirements.md + - name: Install VAMT + href: volume-activation/install-vamt.md + - name: Configure Client Computers + href: volume-activation/configure-client-computers-vamt.md + - name: Add and Manage Products + href: volume-activation/add-manage-products-vamt.md + - name: Add and Remove Computers + href: volume-activation/add-remove-computers-vamt.md + - name: Update Product Status + href: volume-activation/update-product-status-vamt.md + - name: Remove Products + href: volume-activation/remove-products-vamt.md + - name: Manage Product Keys + href: volume-activation/manage-product-keys-vamt.md + - name: Add and Remove a Product Key + href: volume-activation/add-remove-product-key-vamt.md + - name: Install a Product Key + href: volume-activation/install-product-key-vamt.md + - name: Install a KMS Client Key + href: volume-activation/install-kms-client-key-vamt.md + - name: Manage Activations + href: volume-activation/manage-activations-vamt.md + - name: Perform Online Activation + href: volume-activation/online-activation-vamt.md + - name: Perform Proxy Activation + href: volume-activation/proxy-activation-vamt.md + - name: Perform KMS Activation + href: volume-activation/kms-activation-vamt.md + - name: Perform Local Reactivation + href: volume-activation/local-reactivation-vamt.md + - name: Activate an Active Directory Forest Online + href: volume-activation/activate-forest-vamt.md + - name: Activate by Proxy an Active Directory Forest + href: volume-activation/activate-forest-by-proxy-vamt.md + - name: Manage VAMT Data + href: volume-activation/manage-vamt-data.md + - name: Import and Export VAMT Data + href: volume-activation/import-export-vamt-data.md + - name: Use VAMT in Windows PowerShell + href: volume-activation/use-vamt-in-windows-powershell.md + - name: VAMT Step-by-Step Scenarios + href: volume-activation/vamt-step-by-step.md + - name: "Scenario 1: Online Activation" + href: volume-activation/scenario-online-activation-vamt.md + - name: "Scenario 2: Proxy Activation" + href: volume-activation/scenario-proxy-activation-vamt.md + - name: "Scenario 3: KMS Client Activation" + href: volume-activation/scenario-kms-activation-vamt.md + - name: VAMT Known Issues + href: volume-activation/vamt-known-issues.md + + - name: User State Migration Tool (USMT) technical reference + items: + - name: USMT overview topics + items: + - name: USMT overview + href: usmt/usmt-overview.md + - name: Getting started with the USMT + href: usmt/getting-started-with-the-user-state-migration-tool.md + - name: Windows upgrade and migration considerations + href: upgrade/windows-upgrade-and-migration-considerations.md + - name: USMT How-to topics + items: + - name: Exclude Files and Settings + href: usmt/usmt-exclude-files-and-settings.md + - name: Extract Files from a Compressed USMT Migration Store + href: usmt/usmt-extract-files-from-a-compressed-migration-store.md + - name: Include Files and Settings + href: usmt/usmt-include-files-and-settings.md + - name: Migrate Application Settings + href: usmt/migrate-application-settings.md + - name: Migrate EFS Files and Certificates + href: usmt/usmt-migrate-efs-files-and-certificates.md + - name: Migrate User Accounts + href: usmt/usmt-migrate-user-accounts.md + - name: Reroute Files and Settings + href: usmt/usmt-reroute-files-and-settings.md + - name: Verify the Condition of a Compressed Migration Store + href: usmt/verify-the-condition-of-a-compressed-migration-store.md + - name: USMT Troubleshooting + href: usmt/usmt-troubleshooting.md + - name: Common Issues + href: usmt/usmt-common-issues.md + - name: Frequently Asked Questions + href: usmt/usmt-faq.md + - name: Log Files + href: usmt/usmt-log-files.md + - name: Return Codes + href: usmt/usmt-return-codes.md + - name: USMT Resources + href: usmt/usmt-resources.md + + - name: USMT Reference + items: + - name: USMT Requirements + href: usmt/usmt-requirements.md + - name: USMT Best Practices + href: usmt/usmt-best-practices.md + - name: How USMT Works + href: usmt/usmt-how-it-works.md + - name: Plan Your Migration + href: usmt/usmt-plan-your-migration.md + - name: Common Migration Scenarios + href: usmt/usmt-common-migration-scenarios.md + - name: What Does USMT Migrate? + href: usmt/usmt-what-does-usmt-migrate.md + - name: Choose a Migration Store Type + href: usmt/usmt-choose-migration-store-type.md + - name: Migration Store Types Overview + href: usmt/migration-store-types-overview.md + - name: Estimate Migration Store Size + href: usmt/usmt-estimate-migration-store-size.md + - name: Hard-Link Migration Store + href: usmt/usmt-hard-link-migration-store.md + - name: Migration Store Encryption + href: usmt/usmt-migration-store-encryption.md + - name: Determine What to Migrate + href: usmt/usmt-determine-what-to-migrate.md + - name: Identify users + href: usmt/usmt-identify-users.md + - name: Identify Applications Settings + href: usmt/usmt-identify-application-settings.md + - name: Identify Operating System Settings + href: usmt/usmt-identify-operating-system-settings.md + - name: Identify File Types, Files, and Folders + href: usmt/usmt-identify-file-types-files-and-folders.md + - name: Test Your Migration + href: usmt/usmt-test-your-migration.md + - name: USMT Command-line Syntax + href: usmt/usmt-command-line-syntax.md + - name: ScanState Syntax + href: usmt/usmt-scanstate-syntax.md + - name: LoadState Syntax + href: usmt/usmt-loadstate-syntax.md + - name: UsmtUtils Syntax + href: usmt/usmt-utilities.md + - name: USMT XML Reference + href: usmt/usmt-xml-reference.md + - name: Understanding Migration XML Files + href: usmt/understanding-migration-xml-files.md + - name: Config.xml File + href: usmt/usmt-configxml-file.md + - name: Customize USMT XML Files + href: usmt/usmt-customize-xml-files.md + - name: Custom XML Examples + href: usmt/usmt-custom-xml-examples.md + - name: Conflicts and Precedence + href: usmt/usmt-conflicts-and-precedence.md + - name: General Conventions + href: usmt/usmt-general-conventions.md + - name: XML File Requirements + href: usmt/xml-file-requirements.md + - name: Recognized Environment Variables + href: usmt/usmt-recognized-environment-variables.md + - name: XML Elements Library + href: usmt/usmt-xml-elements-library.md + - name: Offline Migration Reference + href: usmt/offline-migration-reference.md + + - name: Application Compatibility Toolkit (ACT) Technical Reference + items: + - name: SUA User's Guide + href: planning/sua-users-guide.md + - name: Using the SUA Wizard + href: planning/using-the-sua-wizard.md + - name: Using the SUA Tool + href: planning/using-the-sua-tool.md + - name: Tabs on the SUA Tool Interface + href: planning/tabs-on-the-sua-tool-interface.md + - name: Showing Messages Generated by the SUA Tool + href: planning/showing-messages-generated-by-the-sua-tool.md + - name: Applying Filters to Data in the SUA Tool + href: planning/applying-filters-to-data-in-the-sua-tool.md + - name: Fixing Applications by Using the SUA Tool + href: planning/fixing-applications-by-using-the-sua-tool.md + - name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista + href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md + - name: Compatibility Administrator User's Guide + href: planning/compatibility-administrator-users-guide.md + - name: Using the Compatibility Administrator Tool + href: planning/using-the-compatibility-administrator-tool.md + - name: Available Data Types and Operators in Compatibility Administrator + href: planning/available-data-types-and-operators-in-compatibility-administrator.md + - name: Searching for Fixed Applications in Compatibility Administrator + href: planning/searching-for-fixed-applications-in-compatibility-administrator.md + - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator + href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md + - name: Creating a Custom Compatibility Fix in Compatibility Administrator + href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md + - name: Creating a Custom Compatibility Mode in Compatibility Administrator + href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md + - name: Creating an AppHelp Message in Compatibility Administrator + href: planning/creating-an-apphelp-message-in-compatibility-administrator.md + - name: Viewing the Events Screen in Compatibility Administrator + href: planning/viewing-the-events-screen-in-compatibility-administrator.md + - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator + href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md + - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator + href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md + - name: Managing Application-Compatibility Fixes and Custom Fix Databases + href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md + - name: Understanding and Using Compatibility Fixes + href: planning/understanding-and-using-compatibility-fixes.md + - name: Compatibility Fix Database Management Strategies and Deployment + href: planning/compatibility-fix-database-management-strategies-and-deployment.md + - name: Testing Your Application Mitigation Packages + href: planning/testing-your-application-mitigation-packages.md + - name: Using the Sdbinst.exe Command-Line Tool + href: planning/using-the-sdbinstexe-command-line-tool.md + - name: Volume Activation + href: volume-activation/volume-activation-windows-10.md + - name: Plan for volume activation + href: volume-activation/plan-for-volume-activation-client.md + - name: Activate using Key Management Service + href: volume-activation/activate-using-key-management-service-vamt.md + - name: Activate using Active Directory-based activation + href: volume-activation/activate-using-active-directory-based-activation-client.md + - name: Activate clients running Windows 10 + href: volume-activation/activate-windows-10-clients-vamt.md + - name: Monitor activation + href: volume-activation/monitor-activation-client.md + - name: Use the Volume Activation Management Tool + href: volume-activation/use-the-volume-activation-management-tool-client.md + - name: "Appendix: Information sent to Microsoft during activation " + href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md + + - name: Install fonts in Windows 10 + href: windows-10-missing-fonts.md \ No newline at end of file diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index b51e38cfae..68f85b8215 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -30,8 +30,7 @@ This topic describes the correct way to add Microsoft Store for Business applica * [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. -* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/store-for-business/distribute-offline-apps#download-an-offline-licensed-app). -deploy-windows-cm +* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app). * A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md). >[!NOTE] diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index bc0b6b6602..cff09982d3 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -25,18 +25,20 @@ ms.topic: article This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index). -- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). -## Recent additions to this page +## Latest news -[SetupDiag](#setupdiag) 1.6 is released.
        -The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
        -New [Windows Autopilot](#windows-autopilot) content is available.
        -[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education. +[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
        +The [Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
        +New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
        +VPN support is added to [Windows Autopilot](#windows-autopilot)
        +An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).
        +The [Windows ADK](#windows-assessment-and-deployment-kit-adk) for Windows 10, version 2004 is available.
        +The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with additional content added and more content coming soon.
        ## The Modern Desktop Deployment Center -The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. +The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise. ## Microsoft 365 @@ -49,16 +51,43 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic ## Windows 10 servicing and support -- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +### Delivery Optimization + +Windows PowerShell cmdlets for Delivery Optimization have been improved: + +- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). +- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. +- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. + +Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include: +- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. +- Automatic cloud-based congestion detection is available for PCs with cloud service support. +- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! + +The following Delivery Optimization policies are removed in the Windows 10, version 2004 release: + +- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) + - Reason: Replaced with separate policies for foreground and background +- Max Upload Bandwidth (DOMaxUploadBandwidth) + - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. +- Absolute max throttle (DOMaxDownloadBandwidth) + - Reason: separated to foreground and background + +### Windows Update for Business + +[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include: +- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. +- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. + +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. - **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. - **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. - **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. -Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. +Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. ![Support lifecycle](images/support-cycle.png) @@ -70,13 +99,16 @@ Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel o For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) - ## Deployment solutions and tools ### Windows Autopilot [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. +With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. + +If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles. + The following Windows Autopilot features are available in Windows 10, version 1903 and later: - [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. @@ -85,6 +117,10 @@ The following Windows Autopilot features are available in Windows 10, version 19 - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. - Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. +### Microsoft Endpoint Configuration Manager + +An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). + ### Windows 10 Subscription Activation Windows 10 Education support has been added to Windows 10 Subscription Activation. @@ -93,9 +129,11 @@ With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to ### SetupDiag -[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. +[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. -SetupDiag version 1.6.0.42 was released on 08/08/2019. +In Windows 10, version 2004, SetupDiag is now automatically installed. + +During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. ### Upgrade Readiness @@ -131,21 +169,21 @@ There are many benefits to converting the partition style of a disk to GPT, incl For more information, see [MBR2GPT.EXE](mbr-to-gpt.md). - ### Microsoft Deployment Toolkit (MDT) -MDT build 8456 (12/19/2018) is available, including support for Windows 10, version 1809, and Windows Server 2019. - -For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/sccm/mdt/). +MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There is currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation. +For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes). ### Windows Assessment and Deployment Kit (ADK) -The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics: +The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. -- [What's new in ADK kits and tools](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools) -- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) +Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). +For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). + +Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). ## Testing and validation guidance @@ -159,25 +197,15 @@ For more information, see the following guides: - [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) - [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) - ## Troubleshooting guidance [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process. - -## Online content change history - -The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10. - -[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
        -[Change history for Device Security](/windows/device-security/change-history-for-device-security)
        -[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) - ## Related topics -[Overview of Windows as a service](update/waas-overview.md) -
        [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -
        [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) -
        [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications) -
        [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) -
        [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) +[Overview of Windows as a service](update/waas-overview.md)
        +[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
        +[Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information)
        +[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
        +[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
        +[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
        diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 091ae48f32..5ff94676d8 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -21,7 +21,7 @@ ms.topic: article - Windows 10 -In Microsoft Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. +In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. - The boot image that is created is based on the version of ADK that is installed. For the purposes of this guide, we will use one server computer: CM01. @@ -90,7 +90,6 @@ Next, see [Add a Windows 10 operating system image using Configuration Manager]( ## Related topics -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
        [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
        [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
        [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
        diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index aada4ef42f..c55b476746 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -160,10 +160,10 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. ### Create configuration file: Microsoft Office 365 Professional Plus x64 1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted. -2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Office 365 ProPlus that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. +2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. For example, you can use the following configuration.xml file, which provides these configuration settings: - - Install the 64-bit version of Office 365 ProPlus in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition. + - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition. - Use the Semi-Annual Channel and get updates directly from the Office CDN on the internet. - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages. @@ -179,7 +179,7 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. ``` - By using these settings, any time you build the reference image you’ll be installing the most up-to-date Semi-Annual Channel version of Office 365 ProPlus. + By using these settings, any time you build the reference image you’ll be installing the most up-to-date Semi-Annual Channel version of Microsoft 365 Apps for enterprise. >[!TIP] >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. @@ -190,16 +190,16 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. ![folder](../images/office-folder.png) - Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Office 365 ProPlus using the configuration settings in the configuration.xml file. Do not perform this step yet. + Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet. >[!IMPORTANT] - >After Office 365 ProPlus is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Office 365 ProPlus. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Office 365 ProPlus installed as part of your reference image. + >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. Additional information -- Office 365 ProPlus is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Office 365 ProPlus will most likely need to download and install the latest updates that have been released since you created your reference image. +- Microsoft 365 Apps for enterprise is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. -- **Note**: By using installing Office Deployment Tool as part of the reference image, Office 365 ProPlus is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Office 365 ProPlus right away and won’t have to download any new updates (which is most likely what would happen if Office 365 ProPlus was installed as part of the reference image.) - - When you are creating your reference image, instead of installing Office 365 ProPlus directly from the Office CDN on the internet, you can install Office 365 ProPlus from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Office 365 ProPlus from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Office 365 ProPlus files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Office 365 ProPlus to that location on your internal network. That way your new reference image will have a more up-to-date installation of Office 365 ProPlus. +- **Note**: By using installing Office Deployment Tool as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) + - When you are creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. ### Connect to the deployment share using Windows PowerShell @@ -353,7 +353,7 @@ On **MDT01**: 6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings: 1. Name: Microsoft Visual C++ Redistributable 2019 - x86 2. Install a Single Application: browse to **Install - MSVC 2019 - x86** - 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Office 365 ProPlus as well. + 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well. 3. Click **OK**. ![apps](../images/mdt-apps.png) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 2245bcd552..52246fddfd 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -151,7 +151,7 @@ $oulist = Import-csv -Path c:\oulist.txt ForEach($entry in $oulist){ $ouname = $entry.ouname $oupath = $entry.oupath - New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf + New-ADOrganizationalUnit -Name $ouname -Path $oupath Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath" } ``` diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index d54f06dc77..4872285d93 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -31,15 +31,15 @@ To configure your environment for BitLocker, you will need to do the following: 4. Configure the rules (CustomSettings.ini) for BitLocker. > [!NOTE] -> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds). +> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. > [!NOTE] -> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511. +> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511. >[!NOTE] ->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. - +>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. + For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). ## Configure Active Directory for BitLocker @@ -88,14 +88,13 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. - Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services > [!NOTE] > If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. ### Set permissions in Active Directory for BitLocker -In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01. +In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191) from Microsoft to C:\\Setup\\Scripts on DC01. 1. On DC01, start an elevated PowerShell prompt (run as Administrator). 2. Configure the permissions by running the following command: diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index b54532b820..52cc80097b 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -25,8 +25,8 @@ ms.topic: article This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. ## Deployment tips diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 4680e56b08..d86cb2f2a8 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -1,6 +1,6 @@ --- title: Deploy Windows 10 (Windows 10) -description: Deploying Windows 10 for IT professionals. +description: Learn Windows 10 upgrade options for planning, testing, and managing your production deployment. ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: laurawi diff --git a/windows/deployment/images/sccm-asset.PNG b/windows/deployment/images/configmgr-asset.png similarity index 100% rename from windows/deployment/images/sccm-asset.PNG rename to windows/deployment/images/configmgr-asset.png diff --git a/windows/deployment/images/configmgr-assets.PNG b/windows/deployment/images/configmgr-assets.PNG new file mode 100644 index 0000000000..ac315148c5 Binary files /dev/null and b/windows/deployment/images/configmgr-assets.PNG differ diff --git a/windows/deployment/images/configmgr-assets.png b/windows/deployment/images/configmgr-assets.png new file mode 100644 index 0000000000..ac315148c5 Binary files /dev/null and b/windows/deployment/images/configmgr-assets.png differ diff --git a/windows/deployment/images/sccm-client.PNG b/windows/deployment/images/configmgr-client.PNG similarity index 100% rename from windows/deployment/images/sccm-client.PNG rename to windows/deployment/images/configmgr-client.PNG diff --git a/windows/deployment/images/sccm-collection.PNG b/windows/deployment/images/configmgr-collection.PNG similarity index 100% rename from windows/deployment/images/sccm-collection.PNG rename to windows/deployment/images/configmgr-collection.PNG diff --git a/windows/deployment/images/sccm-install-os.PNG b/windows/deployment/images/configmgr-install-os.PNG similarity index 100% rename from windows/deployment/images/sccm-install-os.PNG rename to windows/deployment/images/configmgr-install-os.PNG diff --git a/windows/deployment/images/sccm-post-refresh.PNG b/windows/deployment/images/configmgr-post-refresh.PNG similarity index 100% rename from windows/deployment/images/sccm-post-refresh.PNG rename to windows/deployment/images/configmgr-post-refresh.PNG diff --git a/windows/deployment/images/sccm-pxe.PNG b/windows/deployment/images/configmgr-pxe.PNG similarity index 100% rename from windows/deployment/images/sccm-pxe.PNG rename to windows/deployment/images/configmgr-pxe.PNG diff --git a/windows/deployment/images/sccm-site.PNG b/windows/deployment/images/configmgr-site.PNG similarity index 100% rename from windows/deployment/images/sccm-site.PNG rename to windows/deployment/images/configmgr-site.PNG diff --git a/windows/deployment/images/sccm-software-cntr.PNG b/windows/deployment/images/configmgr-software-cntr.PNG similarity index 100% rename from windows/deployment/images/sccm-software-cntr.PNG rename to windows/deployment/images/configmgr-software-cntr.PNG diff --git a/windows/deployment/images/fig16-contentstatus.png b/windows/deployment/images/fig16-contentstatus.png new file mode 100644 index 0000000000..f48490b97d Binary files /dev/null and b/windows/deployment/images/fig16-contentstatus.png differ diff --git a/windows/deployment/images/fig18-distwindows.png b/windows/deployment/images/fig18-distwindows.png index 6e696e321d..07ff1b74c6 100644 Binary files a/windows/deployment/images/fig18-distwindows.png and b/windows/deployment/images/fig18-distwindows.png differ diff --git a/windows/deployment/images/mdt-06-fig06.png b/windows/deployment/images/mdt-06-fig06.png index 324c8960c1..69e2b89c1e 100644 Binary files a/windows/deployment/images/mdt-06-fig06.png and b/windows/deployment/images/mdt-06-fig06.png differ diff --git a/windows/deployment/images/mdt-06-fig08.png b/windows/deployment/images/mdt-06-fig08.png index 086a3961a3..25c8a0a445 100644 Binary files a/windows/deployment/images/mdt-06-fig08.png and b/windows/deployment/images/mdt-06-fig08.png differ diff --git a/windows/deployment/images/sccm-assets.PNG b/windows/deployment/images/sccm-assets.PNG deleted file mode 100644 index 264606c2ab..0000000000 Binary files a/windows/deployment/images/sccm-assets.PNG and /dev/null differ diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 4cdab97bba..70fa4b92c9 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -1,105 +1,117 @@ -### YamlMime:YamlDocument +### YamlMime:Landing + +title: Windows 10 deployment resources and documentation # < 60 chars +summary: Learn about deploying and and keeping Windows 10 up to date. # < 160 chars -documentType: LandingData -title: Deploy and update Windows 10 metadata: - document_id: - title: Deploy and update Windows 10 - description: Deploying and updating Windows 10 for IT professionals. - keywords: deploy, update, Windows, service, Microsoft365, e5, e3 - ms.localizationpriority: high - author: greg-lindsay - ms.author: greglin - manager: laurawi - ms.topic: article - ms.devlang: na + title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 06/09/2020 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Deploy Windows 10 + linkLists: + - linkListType: overview + links: + - text: Windows 10 deployment scenarios + url: windows-10-deployment-scenarios.md + + - linkListType: get-started + links: + - text: Demonstrate Autopilot deployment + url: windows-autopilot/demonstrate-deployment-on-vm.md + - text: Deploy Windows 10 in a test lab + url: windows-10-poc.md + + # Card (optional) + - title: Update Windows 10 + linkLists: + - linkListType: overview + links: + - text: What is Windows as a service? + url: update/waas-overview.md + - text: Types of Windows updates + url: update/waas-quick-start.md#definitions + - linkListType: get-started + links: + - text: Servicing the Windows 10 operating system + url: update/waas-servicing-strategy-windows-10-updates.md + + + # Card (optional) + - title: Deployment planning + linkLists: + - linkListType: architecture + links: + - text: Create a deployment plan + url: update/create-deployment-plan.md + - text: Define readiness criteria + url: update/plan-define-readiness.md + - text: Evaluate infrastructure and tools + url: update/eval-infra-tools.md + - text: Determine application readiness + url: update/plan-determine-app-readiness.md + - text: Define your servicing strategy + url: update/waas-servicing-strategy-windows-10-updates.md + + # Card + - title: Prepare to deploy Windows 10 + linkLists: + - linkListType: how-to-guide + links: + - text: Prepare for Zero Touch Installation with Configuration Manager + url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md + - text: Prepare to deploy Windows 10 with MDT + url: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md + - text: Evaluate and update infrastructure + url: update/update-policies.md + - text: Build a successful servicing strategy + url: update/waas-deployment-rings-windows-10-updates.md + + # Card + - title: Deploy and update Windows 10 + linkLists: + - linkListType: deploy + links: + - text: Windows Autopilot scenarios and capabilities + url: windows-autopilot/windows-autopilot-scenarios.md + - text: Deploy Windows 10 to a new device with Configuration Manager + url: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md + - text: Deploy a Windows 10 image using MDT + url: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md + - text: Assign devices to servicing channels + url: update/waas-servicing-channels-windows-10-updates.md + - text: Deploy Windows 10 updates + url: update/waas-servicing-channels-windows-10-updates.md + - text: Resolve Windows 10 upgrade errors + url: upgrade/resolve-windows-10-upgrade-errors.md + + # Card (optional) + - title: Windows 10 resources + linkLists: + - linkListType: reference + links: + - text: Windows 10 release information + url: https://docs.microsoft.com/windows/release-information/ + - text: What's new in Windows 10 + url: https://docs.microsoft.com/windows/whats-new/ + - text: Windows 10 Enterprise Security + url: https://docs.microsoft.com/windows/security/ + - text: Desktop Deployment Center + url: https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home + - text: Microsoft 365 solution and architecture center + url: https://docs.microsoft.com/microsoft-365/solutions/?view=o365-worldwide -sections: -- items: - - type: markdown - text: Learn about deployment of Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous versions and updating Windows 10. -- items: - - type: list - style: cards - className: cardsM - columns: 3 - items: - - href: windows-10-deployment-scenarios - html:

        Understand the different ways that Windows 10 can be deployed

        - image: - src: https://docs.microsoft.com/media/common/i_deploy.svg" - title: Windows 10 deployment scenarios - - href: update - html:

        Update Windows 10 in the enterprise

        - image: - src: https://docs.microsoft.com/media/common/i_upgrade.svg - title: Windows as a service - - href: windows-autopilot/windows-autopilot - html:

        Windows Autopilot greatly simplifies deployment of Windows devices

        - image: - src: https://docs.microsoft.com/media/common/i_delivery.svg - title: Windows Autopilot -- title: -- items: - - type: markdown - text: " -
        -
      - - - - - - -
      [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Office 365 ProPlus deployments.
      [What's new in Windows 10 deployment](deploy-whats-new.md) See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization.
      [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
      [Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot enables an IT department to pre-configure new devices and repurpose existing devices with a simple process that requires little to no infrastructure.
      [Windows 10 Subscription Activation](windows-10-subscription-activation.md) Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
      [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
      - " -- title: Deploy Windows 10 -- items: - - type: markdown - text: " - Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. -
       
      - - - - - - - - - - - -
      TopicDescription
      [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
      [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) This topic provides information about support for upgrading directly to Windows 10 from a previous operating system.
      [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) This topic provides information about support for upgrading from one edition of Windows 10 to another.
      [Windows 10 volume license media](windows-10-media.md) This topic provides information about media available in the Microsoft Volume Licensing Service Center.
      [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
      [Windows 10 deployment test lab](windows-10-poc.md) This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md).
      [Plan for Windows 10 deployment](planning/index.md) This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning.
      [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
      [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-cm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or.
      [Windows 10 deployment tools](windows-10-deployment-tools-reference.md) Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more.
      - " -- title: Update Windows 10 -- items: - - type: markdown - text: " - Information is provided about keeping Windows 10 up-to-date. -
       
      - - - - - - - - - - - - - - - -
      TopicDescription
      [Quick guide to Windows as a service](update/waas-quick-start.md) Provides a brief summary of the key points for the new servicing model for Windows 10.
      [Overview of Windows as a service](update/waas-overview.md) Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools.
      [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) Explains the decisions you need to make in your servicing strategy.
      [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates.
      [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md) Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider.
      [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization.
      [Optimize update delivery for Windows 10 updates](update/waas-optimize-windows-10-updates.md) Explains the benefits of using Delivery Optimization or BranchCache for update distribution.
      [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile.
      [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune.
      [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](update/waas-manage-updates-wsus.md) Explains how to use WSUS to manage Windows 10 updates.
      [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) Explains how to use Configuration Manager to manage Windows 10 updates.
      [Manage device restarts after updates](update/waas-restart.md) Explains how to manage update related device restarts.
      [Manage additional Windows Update settings](update/waas-wu-settings.md) Provides details about settings available to control and configure Windows Update.
      [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) Explains how the Windows Insider Program for Business works and how to become an insider.
      - " -- title: Additional topics -- items: - - type: markdown - text: " -
      - [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. - -  " diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf index ac27941579..3a4c5f022e 100644 Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.pdf and b/windows/deployment/media/Windows10DeploymentConfigManager.pdf differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx index 5c5328cb5f..8b2db358ff 100644 Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx and b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx differ diff --git a/windows/deployment/media/windows10-deployment-config-manager.png b/windows/deployment/media/windows10-deployment-config-manager.png index 9a3ae2b1f5..509e041741 100644 Binary files a/windows/deployment/media/windows10-deployment-config-manager.png and b/windows/deployment/media/windows10-deployment-config-manager.png differ diff --git a/windows/deployment/planning/TOC.md b/windows/deployment/planning/TOC.md deleted file mode 100644 index fc4cb8fefa..0000000000 --- a/windows/deployment/planning/TOC.md +++ /dev/null @@ -1,37 +0,0 @@ -# [Plan for Windows 10 deployment](index.md) -## [Windows 10 Enterprise FAQ for IT Pros](windows-10-enterprise-faq-itpro.md) -## [Windows 10 deployment considerations](windows-10-deployment-considerations.md) -## [Windows 10 compatibility](windows-10-compatibility.md) -## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) - -## Features removed or planned for replacement -### [Windows 10 features lifecycle](features-lifecycle.md) -### [Features we're no longer developing](windows-10-deprecated-features.md) -### [Features we removed](windows-10-removed-features.md) - -## Application Compatibility Toolkit (ACT) -### [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) -### [SUA User's Guide](sua-users-guide.md) -#### [Using the SUA Wizard](using-the-sua-wizard.md) -#### [Using the SUA Tool](using-the-sua-tool.md) -##### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md) -##### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md) -##### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md) -##### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md) -### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) -#### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) -##### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md) -##### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md) -##### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) -##### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md) -##### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md) -##### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md) -##### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md) -##### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) -##### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) -#### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) -##### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md) -##### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md) -##### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md) -#### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md) -### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md index 0652569347..41c34aec02 100644 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md @@ -1,54 +1,55 @@ ---- -title: Best practice recommendations for Windows To Go (Windows 10) -description: Best practice recommendations for Windows To Go -ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: best practices, USB, device, boot -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Best practice recommendations for Windows To Go - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following are the best practice recommendations for using Windows To Go: - -- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. -- Do not insert the Windows To Go drive into a running computer. -- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. -- If available, use a USB 3.0 port with Windows To Go. -- Do not install non-Microsoft core USB drivers on Windows To Go. -- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. - -Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. - -## More information - - -[Windows To Go: feature overview](windows-to-go-overview.md)
      -[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
      -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
      -[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
      -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
      - -  - -  - - - - - +--- +title: Best practice recommendations for Windows To Go (Windows 10) +description: Best practice recommendations for Windows To Go +ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: best practices, USB, device, boot +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Best practice recommendations for Windows To Go + + +**Applies to** + +- Windows 10 + +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +The following are the best practice recommendations for using Windows To Go: + +- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. +- Do not insert the Windows To Go drive into a running computer. +- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. +- If available, use a USB 3.0 port with Windows To Go. +- Do not install non-Microsoft core USB drivers on Windows To Go. +- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. + +Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. + +## More information + + +[Windows To Go: feature overview](windows-to-go-overview.md)
      +[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
      +[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
      +[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
      +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
      + +  + +  + + + + + diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index d57413d357..8724e8278a 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -23,7 +23,7 @@ ms.topic: article - Windows 10 > [!IMPORTANT] -> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index 08cbf28585..c896c72fde 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -1,6 +1,6 @@ --- title: Prepare your organization for Windows To Go (Windows 10) -description: Prepare your organization for Windows To Go +description: Though Windows To Go is no longer being developed, you can find info here about the the “what”, “why”, and “when” of deployment. ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff ms.reviewer: manager: laurawi @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go. @@ -74,7 +74,7 @@ Because Windows To Go requires no additional software and minimal configuration, Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements. -Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Office 365 ProPlus, Office 365 ProPlus subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Office 365 ProPlus or Office 365 Enterprise SKUs containing Office 365 ProPlus via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922). +Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922). You should investigate other software manufacturer’s licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace. diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 905e495858..952f743607 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index a1156b67f9..acf11aa0ee 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -1,144 +1,132 @@ ---- -title: Windows 10 deployment considerations (Windows 10) -description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. -ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, upgrade, update, in-place -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: plan -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Windows 10 deployment considerations - - -**Applies to** - -- Windows 10 - -There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. - -For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary. - -Windows 10 also introduces two additional scenarios that organizations should consider: - -- **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications. - -- **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device. - - Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process. - - So how do you choose? At a high level: - - ---- - - - - - - - - - - - - - - - - - - - - -
      Consider ...For these scenarios
      In-place upgrade
        -

      • When you want to keep all (or at least most) existing applications

        • -

      • When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)

        • -

      • To migrate from Windows 10 to a later Windows 10 release

        • -
      Traditional wipe-and-load
        -

      • When you upgrade significant numbers of applications along with the new Windows OS

        • -

      • When you make significant device or operating system configuration changes

        • -

      • When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs

        • -

      • When you migrate from Windows Vista or other previous operating system versions

        • -
      Dynamic provisioning
        -

      • For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required

        • -

      • When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps

        • -
      - -  - -## Migration from previous Windows versions - - -For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall. - -Note that the original Windows 8 release is only supported until January 2016. Organizations that do not think they can complete a full Windows 10 migration by that date should deploy Windows 8.1 now and consider Windows 10 after Windows 8 has been removed from the environment. - -For existing Windows PCs running Windows Vista, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware. - -Note that to take advantage of the limited-time free upgrade offer for PCs running Windows 7, Windows 8, or Windows 8.1, you must leverage an in-place upgrade, either from Windows Update or by using the upgrade media available from the [Windows 10 software download page](https://go.microsoft.com/fwlink/p/?LinkId=625073) to acquire a new Windows 10 license from the Windows Store. For more information, refer to the [Windows 10 FAQ](https://go.microsoft.com/fwlink/p/?LinkId=625074). - -For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed). - -For organizations that do not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements. - -## Setup of new computers - - -For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use: - -- **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=625075). - -- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=625076). - -In either of these scenarios, you can make a variety of configuration changes to the PC: - -- Transform the edition (SKU) of Windows 10 that is in use. - -- Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on). - -- Install apps, language packs, and updates. - -- Enroll the device in a management solution (applicable for IT admin-driven scenarios, configuring the device just enough to allow the management tool to take over configuration and ongoing management). - -## Stay up to date - - -For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods: - -- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet. - -- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). Note that this will require updates to WSUS, which are only available for Windows Server 2012 and Windows Server 2012 R2, not previous versions. - -- System Center Configuration Manager task sequences (with Configuration Manager 2012, 2012 R2, and later versions). - -- System Center Configuration Manager vNext software update capabilities (deploying like an update). - -Note that these upgrades (which are installed differently than monthly updates) will leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements. - -Over time, this upgrade process will be optimized to reduce the overall time and network bandwidth consumed. - -## Related topics - - -[Windows 10 compatibility](windows-10-compatibility.md) - -[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) - -  - -  - - - - - +--- +title: Windows 10 deployment considerations (Windows 10) +description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. +ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, upgrade, update, in-place +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: plan +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Windows 10 deployment considerations + + +**Applies to** + +- Windows 10 + +There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. + +For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary. + +Windows 10 also introduces two additional scenarios that organizations should consider: + +- **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications. + +- **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device. + + Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process. + + So how do you choose? At a high level: + + ++++ + + + + + + + + + + + + + + + + + + + + +
      Consider ...For these scenarios
      In-place upgrade
        +

      • When you want to keep all (or at least most) existing applications

        • +

      • When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)

        • +

      • To migrate from Windows 10 to a later Windows 10 release

        • +
      Traditional wipe-and-load
        +

      • When you upgrade significant numbers of applications along with the new Windows OS

        • +

      • When you make significant device or operating system configuration changes

        • +

      • When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs

        • +

      • When you migrate from Windows Vista or other previous operating system versions

        • +
      Dynamic provisioning
        +

      • For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required

        • +

      • When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps

        • +
      + +  +## Migration from previous Windows versions + +For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall. + +The original Windows 8 release was only supported until January 2016. For devices running Windows 8.0, you can update to Windows 8.1 and then upgrade to Windows 10. + +For PCs running operating systems older than Windows 7, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware. + +For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed). + +For organizations that did not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements. + +## Setting up new computers + +For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use: + +- **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=625075). + +- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=625076). + +In either of these scenarios, you can make a variety of configuration changes to the PC: + +- Transform the edition (SKU) of Windows 10 that is in use. +- Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on). +- Install apps, language packs, and updates. +- Enroll the device in a management solution (applicable for IT admin-driven scenarios, configuring the device just enough to allow the management tool to take over configuration and ongoing management). + +## Stay up to date + +For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will be deployed two times per year. You can deploy these upgrades by using a variety of methods: + +- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet. +- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). +- Configuration Manager task sequences. +- Configuration Manager software update capabilities (deploying like an update). + +These upgrades (which are installed differently than monthly updates) leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements. + +The upgrade process is also optimized to reduce the overall time and network bandwidth consumed. + +## Related topics + + +[Windows 10 compatibility](windows-10-compatibility.md)
      +[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) + +  + +  + + + + + diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 520d6cc598..fba2f6ef1d 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -21,11 +21,14 @@ The features described below are no longer being actively developed, and might b **The following list is subject to change and might not include every affected feature or functionality.** ->If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). +> [!NOTE] +> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). |Feature | Details and mitigation | Announced in version | | ----------- | --------------------- | ---- | -| Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team. Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 | +| Companion Device Framework | The [Companion Device Framework](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | +| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | +| Dynamic Disks | The [Dynamic Disks](https://docs.microsoft.com/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](https://docs.microsoft.com/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
       
      The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | @@ -47,7 +50,6 @@ The features described below are no longer being actively developed, and might b |Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
       
      The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 | |IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 | |IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 | -|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 | |RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 | |Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 | |Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 | @@ -63,4 +65,4 @@ The features described below are no longer being actively developed, and might b |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](https://docs.microsoft.com/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](https://docs.microsoft.com/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | |IPsec Task Offload| [IPsec Task Offload](https://docs.microsoft.com/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 | -|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quite switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
      Applies to Windows Server 2016 and Windows Server 2019 as well.| +|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
      Applies to Windows Server 2016 and Windows Server 2019 as well.| diff --git a/windows/deployment/planning/windows-10-fall-creators-removed-features.md b/windows/deployment/planning/windows-10-fall-creators-removed-features.md deleted file mode 100644 index 9c2f192856..0000000000 --- a/windows/deployment/planning/windows-10-fall-creators-removed-features.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -title: Windows 10 Fall Creators Update - Features removed or planned for removal -description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future? -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro -author: greg-lindsay -ms.date: 10/09/2017 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.topic: article ---- - -# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709) - -> Applies to: Windows 10, version 1709 - -Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.** - -## Features removed from Windows 10 Fall Creators Update - -We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method. - -### 3D Builder - -No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place. - -### APN database (Apndatabase.xml) - -Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles: - -- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) -- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) - -### Enhanced Mitigation Experience Toolkit (EMET) - -Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details. - -### Outlook Express - -Removed this non-functional code. - -### Reader app - -Integrated the Reader functionality into Microsoft Edge. - -### Reading list - -Integrated the Reading list functionality into Microsoft Edge. - -### Resilient File System (ReFS) - -We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition. - -If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes. - -If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition. - -### Syskey.exe - -Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). - -### TCP Offload Engine - -Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/) - -### TPM Owner Password Management - -Removed this code. - -## Features being considered for replacement starting after Windows Fall Creators Update - -We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.** - -If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). - -### IIS 6 Management Compatibility - -We're considering replacing the following specific DISM features: - -- IIS 6 Metabase Compatibility (Web-Metabase) -- IIS 6 Management Console (Web-Lgcy-Mgmt-Console) -- IIS 6 Scripting Tools (Web-Lgcy-Scripting) -- IIS 6 WMI Compatibility (Web-WMI) - -Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace. - -You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10). - -### IIS Digest Authentication - -We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/). - -### Microsoft Paint - -We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features. - -### RSA/AES Encryption for IIS - -We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available. - -### Sync your settings - -We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work. diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index b5615f4412..7ca82acf70 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -26,38 +26,24 @@ There are specific infrastructure requirements to deploy and manage Windows 10 ## High-level requirements - For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage. For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.) ## Deployment tools - -A new version of the Assessment and Deployment Toolkit (ADK) has been released to support Windows 10. This new version, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=526740), is required for Windows 10; you should not use earlier versions of the ADK to deploy Windows 10. It also supports the deployment of Windows 7, Windows 8, and Windows 8.1. +The latest version of the Windows Assessment and Deployment Toolkit (ADK) is available for download [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more). -Microsoft Deployment Toolkit 2013 Update 1, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=625079), has also been updated to support Windows 10 and the new ADK; older versions do not support Windows 10. New in this release is task sequence support for Windows 10 in-place upgrades. +The latest version of the Microsoft Deployment Toolkit (MDT) is available for download [here](https://docs.microsoft.com/mem/configmgr/mdt/release-notes). -For System Center Configuration Manager, Windows 10 support is offered with various releases: - -| Release | Windows 10 management? | Windows 10 deployment? | -|---------------------------------------------|------------------------|------------------------------------------------| -| System Center Configuration Manager 2007 | Yes, with a hotfix | No | -| System Center Configuration Manager 2012 | Yes, with SP2 and CU1 | Yes, with SP2, CU1, and the ADK for Windows 10 | -| System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1 | Yes, with SP1, CU1, and the ADK for Windows 10 | - - -> [!NOTE] -> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management. -  +For Configuration Manager, Windows 10 version specific support is offered with [various releases](https://docs.microsoft.com/mem/configmgr/core/plan-design/configs/support-for-windows-10). For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Management tools - In addition to Microsoft Endpoint Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store. No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features. @@ -72,8 +58,6 @@ Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows  | Microsoft BitLocker Administration and Monitoring (MBAM) | MBAM 2.5 SP1 (2.5 is OK) | | User Experience Virtualization (UE-V) | UE-V 2.1 SP1 | -  - For more information, see the [MDOP TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=625090). For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=625084) for more information. @@ -81,20 +65,17 @@ For devices you manage with mobile device management (MDM) solutions such as Mic Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions: 1. Select the **Options** node, and then click **Products and Classifications**. - 2. In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**. - 3. From the **Synchronizations** node, right-click and choose **Synchronize Now**. ![figure 1](images/fig4-wsuslist.png) -Figure 1. WSUS product list with Windows 10 choices +WSUS product list with Windows 10 choices Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](https://go.microsoft.com/fwlink/p/?LinkId=625086) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.) ## Activation - Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers: | Product | Required update | @@ -104,26 +85,21 @@ Windows 10 volume license editions of Windows 10 will continue to support all | Windows Server 2012 and Windows 8 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) | | Windows Server 2008 R2 and Windows 7 | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821) | -  - Also see: [Windows Server 2016 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2016/10/19/windows-server-2016-volume-activation-tips/) Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys: - Sign into the [Volume Licensing Service Center (VLSC)](https://go.microsoft.com/fwlink/p/?LinkId=625088) at with a Microsoft account that has appropriate rights. - - For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key. - - For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.) -Note that Windows 10 Enterprise and Windows 10 Enterprise LTSB installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. +Note that Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. ## Related topics - -[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) -
      [Windows 10 deployment considerations](windows-10-deployment-considerations.md) -
      [Windows 10 compatibility](windows-10-compatibility.md) +[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
      +[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
      +[Windows 10 compatibility](windows-10-compatibility.md)
        diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 3063058112..b79a9e0b9d 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -18,7 +18,7 @@ ms.topic: article Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10. **The list below is subject to change and might not include every affected feature or functionality.** -For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md) +For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md). > [!NOTE] > Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself. @@ -27,6 +27,9 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Removed in version | | ----------- | --------------------- | ------ | +| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 | +| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 | +| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 | | PNRP APIs| ​The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We are planning to complete the removal process by removing the corresponding APIs. | 1909 | | Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 | | Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | 1903 | @@ -36,7 +39,7 @@ The following features and functionalities have been removed from the installed |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 | |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 | |Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 | -|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 | +|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 | |People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 | |Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 | |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

      When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

      Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
      - [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
      - [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 | @@ -50,12 +53,13 @@ The following features and functionalities have been removed from the installed |Reading List | Functionality to be integrated into Microsoft Edge. | 1709 | |Screen saver functionality in Themes | This functionality is disabled in Themes, and classified as **Removed** in this table. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 | |Syskey.exe | Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). | 1709 | -|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193).| 1709 | +|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| 1709 | |Tile Data Layer |To be replaced by the Tile Store.| 1709 | +|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 | |Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 | |By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 | |Interactive Service Detection Service| See [Interactive Services](https://docs.microsoft.com/windows/win32/services/interactive-services?redirectedfrom=MSDN) for guidance on how to keep software up to date. | 1703 | |Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 | |NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 | |Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 | -|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 | \ No newline at end of file +|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 | diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index 77f7cfe31a..2a8889f1ab 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -1,6 +1,6 @@ --- title: Windows To Go frequently asked questions (Windows 10) -description: Windows To Go frequently asked questions +description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature. ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e ms.reviewer: manager: laurawi @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following list identifies some commonly asked questions about Windows To Go. diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index 23fefc02cd..c978295e6e 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -23,7 +23,7 @@ ms.topic: article - Windows 10 > [!IMPORTANT] -> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 3d5adb42f4..bd9b8af4d0 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -1,13 +1,12 @@ --- title: Windows 10 Pro in S mode -description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? +description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode ms.mktglfcycl: deploy ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 12/05/2018 ms.reviewer: manager: laurawi ms.audience: itpro @@ -18,33 +17,35 @@ ms.topic: article --- # Windows 10 in S mode - What is it? -S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. + +S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. ![Configuration and features of S mode](images/smodeconfig.png) ## S mode key features + **Microsoft-verified security** -With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. +With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. **Performance that lasts** -Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. +Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. **Choice and flexibility** -Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. ![Switching out of S mode flow chart](images/s-mode-flow-chart.png) ## Deployment -Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. +Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](windows-autopilot/windows-autopilot.md). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. ## Keep line of business apps functioning with Desktop Bridge -Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. +Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. ## Repackage Win32 apps into the MSIX format @@ -54,6 +55,6 @@ The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-managem ## Related links - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode) -- [S mode devices](https://www.microsoft.com/windows/view-all-devices) +- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) - [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) - [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md new file mode 100644 index 0000000000..da1db27ff2 --- /dev/null +++ b/windows/deployment/update/create-deployment-plan.md @@ -0,0 +1,140 @@ +--- +title: Create a deployment plan +description: Devise the number of deployment rings you need and how you want to populate them +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Create a deployment plan + +A service management mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once this process is used for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity. + +When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices, and we’ve found that ring-based deployment is a methodology that works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades--they are simply a method by which to separate devices into a deployment timeline. + +At the highest level, each “ring” comprise a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur. + +A common ring structure comprises three deployment groups: + +- Preview: Planning and development +- Limited: Pilot and validation +- Broad: Wide deployment + +> [!NOTE] +> Organizations often use different names for their “rings," for example: +> - First > Fast > Broad +> - Canaries > Early Adopters > Users +> - Preview > Broad > Critical + + +## How many rings should I have? + +There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large +organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization. + +## Advancing between rings + +There are basically two strategies for moving deployments from one ring to the next. One is service based, the other project based. + +- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution. +- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring. + +When it comes to deployments, having manual steps in the process usually impedes update velocity, so a "red button" strategy is better when that is your goal. + +## Preview ring + +The purpose of the Preview ring is to evaluate the new features of the update. This is specifically *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next, +generally IT administrators. Ultimately, this is the time the design and planning work happens so that when the public update is actually shipped, you can have greater confidence in the update. + +> [!NOTE] +> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases. + + +### Who goes in the Preview ring? + +The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these are IT pros, and perhaps a few people in the business organization. + +During your plan and prepare phases, these are the activities you should focus on: + +- Work with Windows Insider Preview builds. +- Identify the features and functionality your organization can or wants to use. +- Establish who will use the features and how they will benefit. +- Understand why you are putting the update out. +- Plan for usage feedback. + +Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release. + +> [!IMPORTANT] +> If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update for Business, be sure to set the following policies to allow for Preview builds: +> - **Manage Preview Builds: 2 - Enable preview builds** +> • Under **Branch Readiness Level**, select **When Preview Builds and Feature Updates are Received: 4--Windows Insider Program Slow** + +## Limited ring + +The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback is generated to enable the decision to move forward to broader deployment. Desktop +Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment. + +### Who goes in the Limited ring? + +The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network. + + +During your pilot and validate phases, these are the activities you should focus on: + +- Deploy new innovations. +- Assess and act if issues are encountered. +- Move forward unless blocked. + +When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring, because your Limited ring represents your organization across the board, and when you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly. + +## Broad deployment + +Once the devices in the Limited ring have had a sufficient stabilization period, it’s time for broad deployment across the network. + +### Who goes in the Broad deployment ring? + +In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly. + +> [!NOTE] +> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature +> updates to mission critical devices. + +During the broad deployment phase, these are the activities you should focus on: + +- Deploy to all devices in the organization. +- Work through any final unusual issues that were not detected in your Limited ring. + + +## Ring deployment planning + +Previously, we have provided methods for analyzing your deployments, but these have generally been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics. + + +[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to +make informed decisions about the readiness of your Windows devices. + +In Windows 10 deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest +feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions. + +> [!IMPORTANT] +> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity. + +### Deployment plan options + +There are two ways to implement a ring deployment plan, depending on how you manage your devices: + +- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/about-deployment-plans). +- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide). + +For more about Desktop Analytics, see these articles: + +- [How to set up Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/set-up) +- [Tutorial: Deploy Windows 10 to Pilot](https://docs.microsoft.com/mem/configmgr/desktop-analytics/tutorial-windows10) +- [Desktop Analytics documentation](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) +- [Intune deployment planning, design, and implementation guide](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide) + diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md new file mode 100644 index 0000000000..202b4531b9 --- /dev/null +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -0,0 +1,20 @@ +--- +title: Deploy Windows 10 updates with Configuration Manager (Windows 10) +description: Deploy Windows 10 updates with Configuration Manager +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Deploy Windows 10 updates with Configuration Manager + +**Applies to** + +- Windows 10 + +See the Microsoft Endpoint Configuration Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md new file mode 100644 index 0000000000..8737d452c6 --- /dev/null +++ b/windows/deployment/update/deploy-updates-intune.md @@ -0,0 +1,20 @@ +--- +title: Deploy updates with Intune +description: Deploy Windows 10 updates with Intune +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Deploy Windows 10 updates with Intune + +**Applies to** + +- Windows 10 + +See the Microsoft Intune [documentation](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md new file mode 100644 index 0000000000..af6fe156e8 --- /dev/null +++ b/windows/deployment/update/eval-infra-tools.md @@ -0,0 +1,71 @@ +--- +title: Evaluate infrastructure and tools +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Evaluate infrastructure and tools + +Before you deploy an update, it's best to assess your deployment infrastucture (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness. + +## Infrastructure + +Do your deployment tools need updates? + +- If you use Configuration Manager, is it on the Current Branch with the latest release installed. This ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months. +- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated. +- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows 10 feature update. + +Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so. + +## Device settings + +Make sure your security basline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed. + +### Security baseline + +Keep security baslines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly. + +- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them. +- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows 10 you are about to deploy. + +### Configuration updates + +There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately. + +- **Windows 10 Administrative templates**: Each Windows 10 feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591). +- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. + + +## Define operational readiness criteria + +When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. To achieve this, work with your operations and support team to define acceptable trends and what documents or processes require updating: + +- **Call trend**: Define what percentage increase in calls relating to Windows 10 feature updates are acceptable or can be supported. +- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows 10 feature updates are acceptable or can be supported. +- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows 10 feature update. +- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update. + +Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get get this information so you can gain the right insight. + +## Tasks + +Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks: + +- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined. +- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update. +- **Define infrastructure update plan**: Detail how your infrastructure must change to support the update. +- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed. +- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure? +- **Define operational update plan**: Detail how your operational services and processes must change to support the update. diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 9dbe7740b3..d125672d4a 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -1,6 +1,6 @@ --- -title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM -description: Learn how to make FoD and language packs available when you're using WSUS/SCCM +title: Windows 10 - How to make FoD and language packs available when you're using WSUS or Configuration Manager +description: Learn how to make FoD and language packs available when you're using WSUS or Configuration Manager ms.prod: w10 ms.mktglfcycl: manage @@ -14,7 +14,7 @@ ms.reviewer: manager: laurawi ms.topic: article --- -# How to make Features on Demand and language packs available when you're using WSUS/SCCM +# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager > Applies to: Windows 10 @@ -26,6 +26,6 @@ In Windows 10 version 1709 and 1803, changing the **Specify settings for optiona In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It’s currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location. -For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS or SCCM or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. +For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md new file mode 100644 index 0000000000..82a5957f04 --- /dev/null +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -0,0 +1,107 @@ +--- +title: Windows 10 updates, channels, and tools +description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows 10 updates, channels, and tools + +## How Windows updates work + +There are four phases to the Windows update process: + +- **Scan:** A device checks the Microsoft Update server, Windows Update service, or your Windows Server Update Services (WSUS) endpoint at random intervals to see if any updates have been added since the last time updates were searched, and then evaluates whether the update is appropriate by checking the policies that have been set up by the +administrator. This process is invisible to the user. +- **Download:** Once the device determines that an update is available, it begins downloading the update. The download process is also invisible to the user. With feature updates, download happens in multiple +sequential phases. +- **Install:** After the update is downloaded, depending on the device’s Windows Update settings, the update is installed on the system. +- **Commit and restart:** Once installed, the device usually (but not always) must be restarted in order to complete the installation and begin using the update. Before that happens, a device is still running the previous +version of the software. + +## Types of updates + +We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*. + +- **Feature updates:** Released twice per year, around March and September. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. +- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. +- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md). +- **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. +- **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools. + + + +## Servicing channels + +Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service" which conceives of deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. + +The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization. + + +### Semi-annual Channel + +In the Semi-annual Channel, feature updates are available as soon as Microsoft releases them, twice per year. As long as a device isn't set to defer feature updates, any device using the Semi-annual Channel will install a feature update as soon as it's released. If you use Windows Update for Business, the Semi-annual Channel provides three months of additional total deployment time before being required to update to the next release.{IS THIS STILL TRUE?} + +> [!NOTE] +> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607. + +### Windows Insider Program for Business + +Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel: + +- Windows Insider Fast +- Windows Insider Slow +- Windows Insider Release Preview + +We recommend that you use the Windows Insider Release Preview channel for validation activities. + + +### Long-term Servicing Channel + +The **Long Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + +The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. + + +| Windows 10 edition | Semi-Annual Channel | Insider Program | Long-Term Servicing Channel | +| --- | --- | --- | --- | +| Home | ![yes](images/checkmark.png)|![no](images/crossmark.png) | ![no](images/crossmark.png)| +| Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)| +| Enterprise | ![yes](images/checkmark.png) |![yes](images/checkmark.png) | ![no](images/crossmark.png)| +| Enterprise LTSB | ![no](images/crossmark.png) |![no](images/crossmark.png) | ![yes](images/checkmark.png)| +| Pro Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)| +| Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)| + +## Servicing tools + +### Tools for on-premises update delivery + +Windows Server Update Services (WSUS): you set up a WSUS server, which downloads updates in bulk from Microsoft. Your individual devices then connect to your server to install their updates from there. + +You can set up, control, and manage the server and update process with a number of tools: + +- A standalone Windows Server Update Services server operated directly +- [Configuration Manager](deploy-updates-configmgr.md) +- Non-Microsoft tools + +For more information, see [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). + +### Tools for cloud-based update delivery + +Your individual devices connect to Microsoft endpoints directly to get the updates. The details of this process (how often devices download updates of various kinds, from which channels, deferrals, and details of the users' experience of installation) are set on devices either with Group Policy or MDM policies, which you can control with any of a number of tools: + +- [Group Policy Management Console](waas-wufb-group-policy.md) (Gpmc.msc) +- [Microsoft Intune](waas-wufb-intune.md) +- Non-Microsoft MDM tools + +### Hybrid scenarios + +It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery. + diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index ac597ae387..e427a2f861 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -80,7 +80,7 @@ Windows Update takes the following sets of actions when it runs a scan. #### Starts the scan for updates When users start scanning in Windows Update through the Settings panel, the following occurs: -- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. +- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the WU engine to scan for updates. - "Agent" messages: queueing the scan, then actually starting the work: - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. - Windows Update uses the thread ID filtering to concentrate on one particular task. @@ -106,7 +106,7 @@ When users start scanning in Windows Update through the Settings panel, the foll |MU|7971f918-a847-4430-9279-4a52d1efe18d| |Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| |OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| -|WSUS or SCCM|Via ServerSelection::ssManagedServer
      3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | +|WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
      3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | |Offline scan service|Via IUpdateServiceManager::AddScanPackageService| #### Finds network faults @@ -117,9 +117,9 @@ Common update failure is caused due to network issues. To find the root of the i - The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. > [!NOTE] - > Warning messages for SLS can be ignored if the search is against WSUS/SCCM. + > Warning messages for SLS can be ignored if the search is against WSUS or Configuration Manager. -- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. +- On sites that only use WSUS or Configuration Manager, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS or Configuration Manager, since it’s locally configured. ![Windows Update scan log 3](images/update-scan-log-3.png) ## Downloading updates diff --git a/windows/deployment/update/images/DO-absolute-bandwidth.png b/windows/deployment/update/images/DO-absolute-bandwidth.png new file mode 100644 index 0000000000..a13d5393e6 Binary files /dev/null and b/windows/deployment/update/images/DO-absolute-bandwidth.png differ diff --git a/windows/deployment/update/images/UC-vid-crop.jpg b/windows/deployment/update/images/UC-vid-crop.jpg deleted file mode 100644 index 47e74febbc..0000000000 Binary files a/windows/deployment/update/images/UC-vid-crop.jpg and /dev/null differ diff --git a/windows/deployment/update/images/UC_00_marketplace_search.PNG b/windows/deployment/update/images/UC_00_marketplace_search.PNG deleted file mode 100644 index dcdf25d38a..0000000000 Binary files a/windows/deployment/update/images/UC_00_marketplace_search.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_01_marketplace_create.PNG b/windows/deployment/update/images/UC_01_marketplace_create.PNG deleted file mode 100644 index 4b34311112..0000000000 Binary files a/windows/deployment/update/images/UC_01_marketplace_create.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_02_workspace_create.PNG b/windows/deployment/update/images/UC_02_workspace_create.PNG deleted file mode 100644 index ed3eeeebbb..0000000000 Binary files a/windows/deployment/update/images/UC_02_workspace_create.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_03_workspace_select.PNG b/windows/deployment/update/images/UC_03_workspace_select.PNG deleted file mode 100644 index d00864b861..0000000000 Binary files a/windows/deployment/update/images/UC_03_workspace_select.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG deleted file mode 100644 index 3ea9f57531..0000000000 Binary files a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG and /dev/null differ diff --git a/windows/deployment/update/images/UC_commercialID.png b/windows/deployment/update/images/UC_commercialID.png deleted file mode 100644 index 6896be03e6..0000000000 Binary files a/windows/deployment/update/images/UC_commercialID.png and /dev/null differ diff --git a/windows/deployment/update/images/UC_commercialID_GP.png b/windows/deployment/update/images/UC_commercialID_GP.png deleted file mode 100644 index 95d92cf6df..0000000000 Binary files a/windows/deployment/update/images/UC_commercialID_GP.png and /dev/null differ diff --git a/windows/deployment/update/images/UC_telemetrylevel.png b/windows/deployment/update/images/UC_telemetrylevel.png deleted file mode 100644 index a11e68a5f8..0000000000 Binary files a/windows/deployment/update/images/UC_telemetrylevel.png and /dev/null differ diff --git a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG deleted file mode 100644 index 40dcaef949..0000000000 Binary files a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG and /dev/null differ diff --git a/windows/deployment/update/images/annual-calendar.png b/windows/deployment/update/images/annual-calendar.png new file mode 100644 index 0000000000..1ff15bed76 Binary files /dev/null and b/windows/deployment/update/images/annual-calendar.png differ diff --git a/windows/deployment/update/images/rapid-calendar.png b/windows/deployment/update/images/rapid-calendar.png new file mode 100644 index 0000000000..35aec71626 Binary files /dev/null and b/windows/deployment/update/images/rapid-calendar.png differ diff --git a/windows/deployment/update/images/uc-01-wdav.png b/windows/deployment/update/images/uc-01-wdav.png deleted file mode 100644 index c0ef37ebc6..0000000000 Binary files a/windows/deployment/update/images/uc-01-wdav.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-01.png b/windows/deployment/update/images/uc-01.png deleted file mode 100644 index 7f4df9f6d7..0000000000 Binary files a/windows/deployment/update/images/uc-01.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-02.png b/windows/deployment/update/images/uc-02.png deleted file mode 100644 index 8317f051c3..0000000000 Binary files a/windows/deployment/update/images/uc-02.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-02a.png b/windows/deployment/update/images/uc-02a.png deleted file mode 100644 index d12544e3a0..0000000000 Binary files a/windows/deployment/update/images/uc-02a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-03.png b/windows/deployment/update/images/uc-03.png deleted file mode 100644 index 58494c4128..0000000000 Binary files a/windows/deployment/update/images/uc-03.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-03a.png b/windows/deployment/update/images/uc-03a.png deleted file mode 100644 index 39412fc8f3..0000000000 Binary files a/windows/deployment/update/images/uc-03a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-04.png b/windows/deployment/update/images/uc-04.png deleted file mode 100644 index ef9a37d379..0000000000 Binary files a/windows/deployment/update/images/uc-04.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-04a.png b/windows/deployment/update/images/uc-04a.png deleted file mode 100644 index 537d4bbe72..0000000000 Binary files a/windows/deployment/update/images/uc-04a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-05.png b/windows/deployment/update/images/uc-05.png deleted file mode 100644 index 21c8e9f9e0..0000000000 Binary files a/windows/deployment/update/images/uc-05.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-05a.png b/windows/deployment/update/images/uc-05a.png deleted file mode 100644 index 2271181622..0000000000 Binary files a/windows/deployment/update/images/uc-05a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-06.png b/windows/deployment/update/images/uc-06.png deleted file mode 100644 index 03a559800b..0000000000 Binary files a/windows/deployment/update/images/uc-06.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-06a.png b/windows/deployment/update/images/uc-06a.png deleted file mode 100644 index 15df1cfea0..0000000000 Binary files a/windows/deployment/update/images/uc-06a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-07.png b/windows/deployment/update/images/uc-07.png deleted file mode 100644 index de1ae35e82..0000000000 Binary files a/windows/deployment/update/images/uc-07.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-07a.png b/windows/deployment/update/images/uc-07a.png deleted file mode 100644 index c0f2d9fd73..0000000000 Binary files a/windows/deployment/update/images/uc-07a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-08.png b/windows/deployment/update/images/uc-08.png deleted file mode 100644 index 877fcd64c0..0000000000 Binary files a/windows/deployment/update/images/uc-08.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-08a.png b/windows/deployment/update/images/uc-08a.png deleted file mode 100644 index 89da287d3d..0000000000 Binary files a/windows/deployment/update/images/uc-08a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-09.png b/windows/deployment/update/images/uc-09.png deleted file mode 100644 index 37d7114f19..0000000000 Binary files a/windows/deployment/update/images/uc-09.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-09a.png b/windows/deployment/update/images/uc-09a.png deleted file mode 100644 index f6b6ec5b60..0000000000 Binary files a/windows/deployment/update/images/uc-09a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-10.png b/windows/deployment/update/images/uc-10.png deleted file mode 100644 index ea065590b9..0000000000 Binary files a/windows/deployment/update/images/uc-10.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-10a.png b/windows/deployment/update/images/uc-10a.png deleted file mode 100644 index 1c6b8b01dc..0000000000 Binary files a/windows/deployment/update/images/uc-10a.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-11.png b/windows/deployment/update/images/uc-11.png deleted file mode 100644 index 8b4fc568ea..0000000000 Binary files a/windows/deployment/update/images/uc-11.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-12.png b/windows/deployment/update/images/uc-12.png deleted file mode 100644 index 4198684c99..0000000000 Binary files a/windows/deployment/update/images/uc-12.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-13.png b/windows/deployment/update/images/uc-13.png deleted file mode 100644 index 117f9b9fd8..0000000000 Binary files a/windows/deployment/update/images/uc-13.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-14.png b/windows/deployment/update/images/uc-14.png deleted file mode 100644 index 66047984e7..0000000000 Binary files a/windows/deployment/update/images/uc-14.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-15.png b/windows/deployment/update/images/uc-15.png deleted file mode 100644 index c241cd9117..0000000000 Binary files a/windows/deployment/update/images/uc-15.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-16.png b/windows/deployment/update/images/uc-16.png deleted file mode 100644 index e7aff4d4ed..0000000000 Binary files a/windows/deployment/update/images/uc-16.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-17.png b/windows/deployment/update/images/uc-17.png deleted file mode 100644 index cb8e42ca5e..0000000000 Binary files a/windows/deployment/update/images/uc-17.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-18.png b/windows/deployment/update/images/uc-18.png deleted file mode 100644 index 5eff59adc9..0000000000 Binary files a/windows/deployment/update/images/uc-18.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-19.png b/windows/deployment/update/images/uc-19.png deleted file mode 100644 index 791900eafc..0000000000 Binary files a/windows/deployment/update/images/uc-19.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-20.png b/windows/deployment/update/images/uc-20.png deleted file mode 100644 index 7dbb027b9f..0000000000 Binary files a/windows/deployment/update/images/uc-20.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-21.png b/windows/deployment/update/images/uc-21.png deleted file mode 100644 index 418db41fe4..0000000000 Binary files a/windows/deployment/update/images/uc-21.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-22.png b/windows/deployment/update/images/uc-22.png deleted file mode 100644 index 2ca5c47a61..0000000000 Binary files a/windows/deployment/update/images/uc-22.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-23.png b/windows/deployment/update/images/uc-23.png deleted file mode 100644 index 58b82db82d..0000000000 Binary files a/windows/deployment/update/images/uc-23.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-24.png b/windows/deployment/update/images/uc-24.png deleted file mode 100644 index 00bc61e3e1..0000000000 Binary files a/windows/deployment/update/images/uc-24.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-25.png b/windows/deployment/update/images/uc-25.png deleted file mode 100644 index 4e0f0bdb03..0000000000 Binary files a/windows/deployment/update/images/uc-25.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-DO-status.png b/windows/deployment/update/images/uc-DO-status.png deleted file mode 100644 index d4b47be324..0000000000 Binary files a/windows/deployment/update/images/uc-DO-status.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-emptyworkspacetile.PNG b/windows/deployment/update/images/uc-emptyworkspacetile.PNG deleted file mode 100644 index 24c37d4279..0000000000 Binary files a/windows/deployment/update/images/uc-emptyworkspacetile.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-featureupdatestatus.PNG b/windows/deployment/update/images/uc-featureupdatestatus.PNG deleted file mode 100644 index ae6a38502f..0000000000 Binary files a/windows/deployment/update/images/uc-featureupdatestatus.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-filledworkspacetile.PNG b/windows/deployment/update/images/uc-filledworkspacetile.PNG deleted file mode 100644 index 7293578b1a..0000000000 Binary files a/windows/deployment/update/images/uc-filledworkspacetile.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-filledworkspaceview.PNG b/windows/deployment/update/images/uc-filledworkspaceview.PNG deleted file mode 100644 index 8d99e52e02..0000000000 Binary files a/windows/deployment/update/images/uc-filledworkspaceview.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-needattentionoverview.PNG b/windows/deployment/update/images/uc-needattentionoverview.PNG deleted file mode 100644 index 50b6d04699..0000000000 Binary files a/windows/deployment/update/images/uc-needattentionoverview.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-overviewblade.PNG b/windows/deployment/update/images/uc-overviewblade.PNG deleted file mode 100644 index dca364daf6..0000000000 Binary files a/windows/deployment/update/images/uc-overviewblade.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png b/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png deleted file mode 100644 index f52087a4a7..0000000000 Binary files a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png and /dev/null differ diff --git a/windows/deployment/update/images/uc-securityupdatestatus.PNG b/windows/deployment/update/images/uc-securityupdatestatus.PNG deleted file mode 100644 index 75e9d10fd8..0000000000 Binary files a/windows/deployment/update/images/uc-securityupdatestatus.PNG and /dev/null differ diff --git a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG b/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG deleted file mode 100644 index e3f6990348..0000000000 Binary files a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG and /dev/null differ diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index c981469bef..8af36e4df1 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -42,7 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https ![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png) -The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. +The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. |To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) | diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md new file mode 100644 index 0000000000..a2ff53df19 --- /dev/null +++ b/windows/deployment/update/plan-define-readiness.md @@ -0,0 +1,115 @@ +--- +title: Define readiness criteria +ms.reviewer: +manager: laurawi +description: Identify important roles and figure out how to classify apps +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Define readiness criteria + +## Figure out roles and personnel + +Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment. + +### Process manager + +The process manager leads the update deployment process and has the authority to push the process forward--or halt it if necessary. They also have responsibilities in organizing these activities: + + +|Compatibility workstream |Deployment |Capability and modernization | +|---------|---------|---------| +|[Assigning application priority](#set-criteria-for-rating-apps) | Reviewing infrastructure requirements | Determining infrastructure changes | +|Application assessment | Validating infrastructure against requirements | Determining configuration changes | +|Device assessment | Creating infrastructure update plan | Create capability proposal | + +It's the process manager's role to collect reports on remediation efforts, escalate failures, and to decide whether your environment is ready for pilot deployment and then broad deployment. + + +This table sketches out one view of the other roles, with their responsibilities, relevant skills, and the deployment phases where they are needed: + + +|Role |Responsibilities |Skills |Active phases | +|---------|---------|---------|---------| +|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT service management | Plan, prepare, pilot deployment, broad deployment | +|Application owner | Define application test plan; assign user acceptance testers; certify the application | Knowledge of critical and important applications | Plan, prepare, pilot deployment | +|Application developer | Ensure apps are developed to stay compatible with current Windows versions | Application development; application remediation | Plan, prepare | +|End-user computing | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows | Bare-metal deployment; infrastructure management; application delivery; update management | Plan, prepare, pilot deployment, broad deployment | +|Operations | Ensure that support is available for current Windows version. Provide post-deployment support, including user communication and rollbacks. | Platform security | Prepare, pilot deployment, broad deployment | +|Security | Review and approve the security baseline and tools | Platform security | Prepare, pilot deployment | +|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment | + + + + + + +## Set criteria for rating apps + +Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise. + +In the Prepare phase, you'll apply the criteria you define now to every app in your organization. + +Here's a suggested classification scheme: + + +|Classification |Definition| +|---------|---------| +|Critical | The most vital applications that handle core business activities and processes. If these applications were not available, the business, or a business unit, couldn't function at all. | +|Important | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business. | +|Not important | There is no impact on the business if these apps are not available for a while. | + +Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority. + +Here's an example priority rating system; of course the specifics could vary for your organization: + + +|Priority |Definition | +|---------|---------| +|1 | Any issues or risks identified must be investigated and resolved as soon as possible. | +|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. | +|3 | Start investigating risks and issues within 10 business days. You don’t have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. | +|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. | + +Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle. + +Here's an example: + + +|Severity |Effect | +|---------|---------| +|1 | Work stoppage or loss of revenue | +|2 | Productivity loss for a business unit | +|3 | Productivity loss for individual users | +|4 | Minimal impact on users | + +## Example: a large financial corporation + +Using the suggested scheme, a financial corporation might classify their apps like this: + + +|App |Classification | +|---------|---------| +|Credit processing app | Critical | +|Frontline customer service app | Critical | +|PDF viewer | Important | +|Image processing app | Not important | + +Further, they might combine this classification with severity and priority rankings like this: + + +|Classification |Severity |Priority |Response | +|---------|---------|---------|---------| +|Critical | 1 or 2 | 1 or 2 | For 1, stop deployment until resolved; for 2, stop deployment for affected devices or users only. | +|Important | 3 or 4 | 3 or 4 | For 3, continue deployment, even for affected devices, as long as there is workaround guidance. | +|Not important | 4 | 4 | Continue deployment for all devices. | + diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md new file mode 100644 index 0000000000..b7e1707a7d --- /dev/null +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -0,0 +1,76 @@ +--- +title: Determine application readiness +ms.reviewer: +manager: laurawi +description: How to test your apps to know which need attention prior to deploying an update +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Determine application readiness + +Before you deploy a Windows 10 update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps] with respect to their criticality in your organization. + +## Validation methods + +You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment. + + +|Validation method |Description | +|---------|---------| +|Full regression | A full quality assurance probing. Staff who know the application very well and can validate its core functionality should do this. | +|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they’re validating. | +|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. | +|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. | +|Reactive response | Applications are validated in late pilot, and no specific users are selected. These are normally applications aren't installed on many devices and aren’t handled by enterprise application distribution. | + +Combining the various validation methods with the app classifications you've previously established might look like this: + + +|Validation method |Critical apps |Important apps |Not important apps | +|---------|---------|---------|---------| +|Full regression | x | | | +|Smoke testing | | x | | +|Automated testing | x | x | x | +|Test in pilot | x | x | x | + + +### Identify users + +Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include: + +- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in? +- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work? +- **Technical ability**: Do the users have enough technical competence to provide useful feedback from various test scenarios? + +You could seek volunteers who enjoy working with new features and include them in the pilot deployment. You might want to avoid using core users like department heads or project managers. Current application owners, operations personnel, and developers can help you identify the most appropriate pilot users. + +### Identify and set up devices for validation + +In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment. + +There is more than one way to choose devices for app validation: + +- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles. +- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems. +- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices. + + +### Desktop Analytics + +Desktop Analytics can make all of the tasks discussed in this article significantly easier: + +- Creating and maintaining an application and device inventory +- Assign owners to applications for testing +- Automatically apply your app classifications (critical, important, not important) +- Automatically identify application compatibility risks and provide recommendations for reducing those risks + +For more information, see [What is Desktop Analytics?](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md new file mode 100644 index 0000000000..76cbb5eea0 --- /dev/null +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -0,0 +1,158 @@ +--- +title: Prepare to deploy Windows +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Prepare to deploy Windows + +Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows 10. The planning phase will have left you with these useful items: + +- A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md) +- A plan for [testing and validating](plan-determine-app-readiness.md) apps +- An assessment of your [deployment infrastructure](eval-infra-tools.md) and definitions for operational readiness +- A [deployment plan](create-deployment-plan.md) that defines the rings you want to use + +Now you're ready to actually start making changes in your environment to get ready to deploy. + +## Prepare infrastructure and environment + +- Deploy site server updates for Configuration Manager. +- Update non-Microsoft security tools like security agents or servers. +- Update non-Microsoft management tools like data loss prevention agents. + +Your infrastructure probably includes many different components and tools. You’ll need to ensure your environment isn’t affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps: + +1. Review all of the infrastructure changes that you’ve identified in your plan. It’s important to understand the changes that need to be made and to detail how to implement them. This prevents problems later on. +2. Validate your changes. You’ll validate the changes for your infrastructure’s components and tools, to help you understand how your changes could affect your production environment. +3. Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure. + + +You should also look at your organization’s environment’s configuration and outline how you’ll implement any necessary changes previously identified in the plan phase to support the update. Consider what you’ll need to do for the various settings and policies that currently underpin the environment. For example: + +- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security related configurations. +- Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to. +However, your configuration will consist of many different settings and policies. It’s important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isn’t affected adversely because of changes you make. For example: + +1. Review new security settings. Your security team will review the new security settings, to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment. +2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant. +3. Implement and validate security settings and baseline changes. Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues. + + +## Prepare applications and devices + +You've previously decided on which validation methods you want to use to validate apps in the upcoming pilot deployment phase. Now is a good time to make sure that individual devices are ready and able to install the next update without difficulty. + +### Ensure updates are available + +Enable update services on devices. Ensure that every device is running all the services Windows Update relies on. Sometimes users or even malware can disable the services Windows Update requires to work correctly. Make sure the following services are running: + +- Background Intelligent Transfer Service +- Background Tasks Infrastructure Service +- BranchCache (if you use this feature for update deployment) +- ConfigMgr Task Sequence Agent (if you use Configuration Manager to deploy updates) +- Cryptographic Services +- DCOM Server Process Launcher +- Device Install +- Delivery Optimization +- Device Setup Manager +- License Manager +- Microsoft Account Sign-in Assistant +- Microsoft Software Shadow Copy Provider +- Remote Procedure Call (RPC) +- Remote Procedure Call (RPC) Locator +- RPC Endpoint Mapper +- Service Control Manager +- Task Scheduler +- Token Broker +- Update Orchestrator Service +- Volume Shadow Copy Service +- Windows Automatic Update Service +- Windows Backup +- Windows Defender Firewall +- Windows Management Instrumentation +- Windows Management Service +- Windows Module Installer +- Windows Push Notification +- Windows Security Center Service +- Windows Time Service +- Windows Update +- Windows Update Medic Service + +You can check these services manually by using Services.msc, or by using PowerShell scripts, Desktop Analytics, or other methods. + +### Network configuration + +Ensure that devices can reach necessary Windows Update endpoints through the firewall. + +### Optimize download bandwidth +Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network sharing or Microsoft Connected Cache. + +### Address unhealthy devices + +In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems. + +- **Low disk space:** Quality updates require a minimum of two GB to successfully install. Feature updates require between 8 and 15 GB depending upon the configuration. On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve this by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files: +- C:\Windows\temp +- C:\Windows\cbstemp (though this file might be necessary to investigate update failures) +- C:\Windows\WindowsUpdate.log (though this file might be necessary to investigate update failures) +- C:\Windows.Old (these files should automatically clean up after 10 days or might ask the device user for permission to clean up sooner when constrained for disk space) + +You can also create and run scripts to perform additional cleanup actions on devices, with administrative rights, or use Group Policy settings. + +- Clean up the Windows Store Cache by running C:\Windows\sytem32\wsreset.exe +- Optimize the WinSxS folder on the client machine by using **Dism.exe /online /Cleanup-Image /StartComponentCleanup** +- Compact the operating system by running **Compact.exe /CompactOS:always** +- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance. +- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](https://docs.microsoft.com/onedrive/use-group-policy) for more information. +- Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates: + +``` +net stop wuauserv +net stop cryptSvc +net stop bits +net stop msiserver +ren C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old +net start wuauserv +net start cryptSvc +net start bits +net start msiserver +``` + +- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also +check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues. +- **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component Based Store from another source. You can do this with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system). + + + + + +## Prepare capability + +In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You'll need to complete these higher-level tasks to gain those new capabilities: + +- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions will come with new policies that you use to update ADMX templates. +- Validate new changes to understand how they affect the wider environment. +- Remediate any potential problems that have been identified through validation. + +## Prepare users + +Users often feel like they are forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning. + +You can employ a variety of measures to achieve this, for example: + +- Send overview email about the update and how it will be deployed to the entire organization. +- Send personalized emails to users about the update with specific details. +- Set an opt-out deadline for employees that need to remain on the current version for a bit longer, due to a business need. +- Provide the ability to voluntarily update at users’ convenience. +- Inform users of a mandatory installation date when the update will be installed on all devices. + + diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md new file mode 100644 index 0000000000..fc22965271 --- /dev/null +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -0,0 +1,77 @@ +--- +title: Manually configuring devices for Update Compliance +ms.reviewer: +manager: laurawi +description: Manually configuring devices for Update Compliance +keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Manually Configuring Devices for Update Compliance + +There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. + +The requirements are separated into different categories: + +1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured. +2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations. +3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality. + +## Required policies + +> [!NOTE] +> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md). + +Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: + +- **Policy** corresponds to the location and name of the policy. +- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) telemetry, but can function off Enhanced or Full (or Optional). +- **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any. + +### Mobile Device Management policies + +Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details. + +| Policy | Value | Function | +|---------------------------|-|------------------------------------------------------------| +|**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | +|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |1- Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. | +|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | Disable Telemetry opt-in Settings | (*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. | +|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | + +### Group Policies + +All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below. + +| Policy | Value | Function | +|---------------------------|-|-----------------------------------------------------------| +|**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. | +|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. | +|**Configure telemetry opt-in setting user interface** | Disable telemetry opt-in Settings |(*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. | +|**Allow device name to be sent in Windows diagnostic data** | Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | + +## Required endpoints + +To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints. + +| **Endpoint** | **Function** | +|---------------------------------------------------------|-----------| +| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. Census.exe must run on a regular cadence and contact this endpoint in order to receive the majority of [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md) information for Update Compliance. | +| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | +| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. | +| `http://adl.windows.com` | Required for Windows Update functionality. | +| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. | +| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. | +| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. This also requires Microsoft Account Sign-in Assistant service to be running (wlidsvc). | + +## Required services + +Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically. diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md new file mode 100644 index 0000000000..2167039e0c --- /dev/null +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -0,0 +1,99 @@ +--- +title: Update Compliance Configuration Script +ms.reviewer: +manager: laurawi +description: Downloading and using the Update Compliance Configuration Script +keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Configuring devices through the Update Compliance Configuration Script + +The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more. + +You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. + +## How the script is organized + +The script is organized into two folders **Pilot** and **Deployment**. Both folders have the same key files: `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the .bat itself, which will then execute `ConfigScript.ps1` with the parameters entered to RunConfig.bat. + +- The **Pilot** folder and its contents are intended to be used on an initial set of single devices in specific environments (main office & satellite office, for example) for testing and troubleshooting prior to broader deployment. This script is configured to collect and output detailed logs for every device it runs on. +- The **Deployment** folder is intended to be deployed across an entire device population in a specific environment once devices in that environment have been validated with the Pilot script. + +## How to use the script + +### Piloting and Troubleshooting + +> [!IMPORTANT] +> If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support. + +When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows: + +1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode. +2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid). +3. Run the script. The script must be run in System context. +4. Examine the Logs output for any issues. If there were issues: + - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). + - Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes. + - Make the necessary corrections and run the script again. +5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder. + + +### Broad deployment + +After verifying on a set of devices in a specific environment that everything is configured correctly, you can proceed to broad deployment. + +1. Configure `commercialIDValue` in `RunConfig.bat` to [your CommercialID](update-compliance-get-started.md#get-your-commercialid). +2. Use a management tool like Configuration Manager or Intune to broadly deploy the script to your entire target population. + +## Script Error Reference + +|Error |Description | +|-|-------------------| +| 27 | Not system account. | +| 37 | Unexpected exception when collecting logs| +| 1 | General unexpected error| +| 6 | Invalid CommercialID| +| 48 | CommercialID is not a GUID| +| 8 | Couldn't create registry key path to setup CommercialID| +| 9 | Couldn't write CommercialID at registry key path| +| 53 | There are conflicting CommercialID values.| +| 11 | Unexpected result when setting up CommercialID.| +| 62 | AllowTelemetry registry key is not of the correct type `REG_DWORD`| +| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| +| 64 | AllowTelemetry is not of the correct type `REG_DWORD`.| +| 99 | Device is not Windows 10.| +| 40 | Unexpected exception when checking and setting telemetry.| +| 12 | CheckVortexConnectivity failed, check Log output for more information.| +| 12 | Unexpected failure when running CheckVortexConnectivity.| +| 66 | Failed to verify UTC connectivity and recent uploads.| +| 67 | Unexpected failure when verifying UTC CSP connectivity of the WMI Bridge.| +| 41 | Unable to impersonate logged-on user.| +| 42 | Unexpected exception when attempting to impersonate logged-on user.| +| 43 | Unexpected exception when attempting to impersonate logged-on user.| +| 16 | Reboot is pending on device, restart device and restart script.| +| 17 | Unexpected exception in CheckRebootRequired.| +| 44 | Error when running CheckDiagTrack service.| +| 45 | DiagTrack.dll not found.| +| 50 | DiagTrack service not running.| +| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| +| 55 | Failed to create new registry path for `SetDeviceNameOptIn` of the PowerShell script.| +| 56 | Failed to create property for `SetDeviceNameOptIn` of the PowerShell script at registry path.| +| 57 | Failed to update value for `SetDeviceNameOptIn` of the PowerShell script.| +| 58 | Unexpected exception in `SetDeviceNameOptIn` of the PowerShell script.| +| 59 | Failed to delete `LastPersistedEventTimeOrFirstBoot` property at registry path when attempting to clean up OneSettings.| +| 60 | Failed to delete registry key when attempting to clean up OneSettings.| +| 61 | Unexpected exception when attempting to clean up OneSettings.| +| 52 | Could not find Census.exe| +| 51 | Unexpected exception when attempting to run Census.exe| +| 34 | Unexpected exception when attempting to check Proxy settings.| +| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| +| 35 | Unexpected exception when checking User Proxy.| diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 1fc602e081..5953fcc349 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -2,7 +2,7 @@ title: Update Compliance - Feature Update Status report ms.reviewer: manager: laurawi -description: an overview of the Feature Update Status report +description: Find the latest status of feature updates with an overview of the Feature Update Status report. ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: deploy diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 84b577be93..4e77a4d513 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -1,8 +1,8 @@ --- -title: Get started with Update Compliance (Windows 10) +title: Get started with Update Compliance ms.reviewer: manager: laurawi -description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network. +description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav ms.prod: w10 ms.mktglfcycl: deploy @@ -16,112 +16,68 @@ ms.topic: article --- # Get started with Update Compliance -This topic explains the steps necessary to configure your environment for Update Compliance. -Steps are provided in sections that follow the recommended setup process: +This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow. -1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites). -2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription). -3. [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance). -4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and get Delivery Optimization insights. +1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance. +2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription. +3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance. + +After adding the solution to Azure and configuring devices, there will be a waiting period of up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. ## Update Compliance prerequisites + Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: -1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](https://docs.microsoft.com/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. -2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them. -3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. -4. For Windows 10 1803+, device names will not appear in Update Compliance unless you opt in. The steps to accomplish this is outlined in the [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance) section. + +1. **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](https://docs.microsoft.com/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. +2. **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel (SAC) and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them. +3. **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy). +4. **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md). +5. **Showing Device Names in Update Compliance**: For Windows 10 1803+, device names will not appear in Update Compliance unless you individually opt-in devices via policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). ## Add Update Compliance to your Azure subscription -Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: -1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. +Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: + +1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You may need to login to your Azure subscription to access this. +2. Select **Get it now**. +3. Choose an existing or configure a new Log Analytics Workspace. While an Azure subscription is required, you will not be charged for ingestion of Update Compliance data. + - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. + - [Azure Update Management](https://docs.microsoft.com/azure/automation/automation-update-management) customers are advised to use the same workspace for Update Compliance. +4. After your workspace is configured and selected, select **Create**. You will receive a notification when the solution has been successfully created. > [!NOTE] -> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. +> It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](https://docs.microsoft.com/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription. -2. In the Azure portal select **+ Create a resource**, and search for "Update Compliance". You should see it in the results below. +### Get your CommercialID -![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) +A CommercialID is a globally-unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment. -3. Select **Update Compliance** and a blade will appear summarizing the solution's offerings. At the bottom, select **Create** to begin adding the solution to Azure. +To find your CommercialID within Azure: -![Update Compliance solution creation](images/UC_01_marketplace_create.png) - -4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. - - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. - - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **per GB**. - -![Update Compliance workspace creation](images/UC_02_workspace_create.png) - -5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. - -![Update Compliance workspace selection](images/UC_03_workspace_select.png) - -6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. - -![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) - -## Enroll devices in Update Compliance -Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are three key steps to ensure successful enrollment: - -### Deploy your Commercial ID to devices -A Commercial ID is a globally-unique identifier assigned to a specific Log Analytics workspace. This is used to identify devices as part of your environment. - -To find your Commercial ID within Azure: -1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution. -2. From there, select the Update Compliance Settings page on the navbar. -3. Your Commercial ID is available in the settings page. - -![Update Compliance Settings page](images/UC_commercialID.png) +1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution. +2. From there, select the Update Compliance Settings page on the navbar. +3. Your CommercialID is available in the settings page. > [!IMPORTANT] ->Regenerate your Commercial ID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your Commercial ID cannot be undone and will result in you losing data for all devices that have the current Commercial ID until the new Commercial ID is deployed to devices. +> Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices. -#### Deploying Commercial ID using Group Policy -Commercial ID can be deployed using Group Policy. The Group Policy for Commercial ID is under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure the Commercial ID**. +## Enroll devices in Update Compliance -![Commercial ID Group Policy location](images/UC_commercialID_GP.png) - -#### Deploying Commercial ID using MDM -Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp). - -### Ensure endpoints are whitelisted -To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to whitelist the following endpoints. You may need security group approval to do this. - -| **Endpoint** | **Function** | -|---------------------------------------------------------|-----------| -| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. | -| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | -| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. | -| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | -| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. | -| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. | -| `https://login.live.com` | This endpoint is optional but allows for the Update Compliance service to more reliably identify and process devices. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | - -### Set diagnostic data levels -Update Compliance requires that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). - -#### Configuring Telemetry level using Group Policy -You can set Allow Telemetry through Group Policy, this setting is in the same place as the Commercial ID policy, under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry**. Update Compliance requires at least Basic (level 1) to function. - -![Allow Telemetry in Group Policy](images/UC_telemetrylevel.png) - -#### Configuring Telemetry level using MDM -Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). - -### Enabling Device Name in telemetry -Beginning with Windows 10, version 1803, Device Name is no longer collected as part of normal Windows Diagnostic Data and must explicitly be allowed to be sent to Microsoft. If devices do not have this policy enabled, their device name will appear as '#' instead. - -#### Allow Device Name in Telemetry with Group Policy -Allow Device Name in Telemetry is under the same node as Commercial ID and Allow Telemetry policies in Group Policy, listed as **Allow device name to be sent in Windows diagnostic data**. - -#### Allow Device Name in Telemetry with MDM -Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). +Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance. > [!NOTE] -> After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. +> After configuring devices via one of the two methods below, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices. + +### Configure devices using the Update Compliance Configuration Script + +The recommended way to configure devices to send data to Update Compliance is using the [Update Compliance Configuration Script](update-compliance-configuration-script.md). The script configures required policies via Group Policy. The script comes with two versions: + +- Pilot is more verbose and is intended to be use on an initial set of devices and for troubleshooting. +- Deployment is intended to be deployed across the entire device population you want to monitor with Update Compliance. + +To download the script and learn what you need to configure and how to troubleshoot errors, see [Configuring Devices using the Update Compliance Configuration Script](update-compliance-configuration-script.md). + +### Configure devices manually + +It is possible to manually configure devices to send data to Update Compliance, but the recommended method of configuration is to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md). To learn more about configuring devices manually, see [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 7cfa65dc2a..311272e93b 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -1,5 +1,5 @@ --- -title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10) +title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance (Windows 10) ms.reviewer: manager: laurawi description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network. @@ -18,10 +18,9 @@ ms.topic: article # Monitor Windows Updates with Update Compliance > [!IMPORTANT] -> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates: -> -> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). -> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. +> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Microsoft Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020. +> * The retirement of Microsoft Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction @@ -33,30 +32,15 @@ Update Compliance enables organizations to: Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). -Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal). +Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience. See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: -- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. -- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. +- [Get started with Update Compliance](update-compliance-get-started.md) provides directions on adding Update Compliance to your Azure subscription and configuring devices to send data to Update Compliance. +- [Using Update Compliance](update-compliance-using.md) breaks down every aspect of the Update Compliance experience. -## Update Compliance architecture - -The Update Compliance architecture and data flow follows this process: - -1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service. -2. Diagnostic data is analyzed by the Update Compliance Data Service. -3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace. -4. Diagnostic data is available in the Update Compliance solution. - - -> [!NOTE] -> This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md). - - - -  ## Related topics -[Get started with Update Compliance](update-compliance-get-started.md)
      -[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) +* [Get started with Update Compliance](update-compliance-get-started.md) +* [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) +* [Update Compliance Schema Reference](update-compliance-schema.md) diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index a4b940a236..f17250eec3 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -19,8 +19,8 @@ ms.topic: article The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. ->[!NOTE] ->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. +> [!NOTE] +> The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. The different issues are broken down by Device Issues and Update Issues: @@ -35,12 +35,12 @@ The different issues are broken down by Device Issues and Update Issues: * **Cancelled**: This issue occurs when a user cancels the update process. * **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. * **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. -* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. +* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 7 days. Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. ->[!NOTE] ->This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. +> [!NOTE] +> This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. ## List of Queries diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md new file mode 100644 index 0000000000..a455261f8c --- /dev/null +++ b/windows/deployment/update/update-compliance-privacy.md @@ -0,0 +1,55 @@ +--- +title: Privacy in Update Compliance +ms.reviewer: +manager: laurawi +description: an overview of the Feature Update Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Privacy in Update Compliance + +Update Compliance is fully committed to privacy, centering on these tenets: + +- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details). +- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics. +- **Security:** Your data is protected with strong security and encryption. +- **Trust:** Update Compliance supports the Online Services Terms. + +## Data flow for Update Compliance + +The data flow sequence is as follows: + +1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US. +2. An IT Administrator creates an Azure Log Analytics workspace. They then choose the location this workspace will store data and receives a Commercial ID for that workspace. The Commercial ID is added to each device in an organization by way of Group Policy, MDM or registry key. +3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management Service, identifying devices by Commercial ID. +4. These snapshots are copied to transient storage, used solely for Update Compliance where they are partitioned by Commercial ID. +5. The snapshots are then copied to the appropriate Azure Log Analytics workspace, where the Update Compliance experience pulls the information from to populate visuals. + +## FAQ + +### Can Update Compliance be used without a direct client connection to the Microsoft Data Management Service? + +No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity. + +### Can I choose the data center location? + +Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US). + +## Related topics + +See related topics for additional background information on privacy and treatment of diagnostic data: + +- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) +- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) +- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) +- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) +- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) +- [Trust Center](https://www.microsoft.com/trustcenter) diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md new file mode 100644 index 0000000000..3cbcbbeb28 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md @@ -0,0 +1,46 @@ +--- +title: Update Compliance Schema - WaaSDeploymentStatus +ms.reviewer: +manager: laurawi +description: WaaSDeploymentStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WaaSDeploymentStatus + +WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. + +|Field |Type |Example |Description | +|-|-|-----|------------------------| +|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). | +|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**DeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). | +|**DeploymentError** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. | +|**DeploymentErrorCode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. | +|**DeploymentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Failed` |The high level status of installing this update on this device. Possible values are:
    • **Update completed**: Device has completed the update installation.
    • **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
    • **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
    • **Cancelled**: The update was cancelled.
    • **Blocked**: There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
    • **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that have not sent any deployment data for that update will have the status `Unknown`.
    • **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
    • **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.| +|**DetailedStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
    • **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
    • **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
    • **Update offered**: The device has been offered the update, but has not begun downloading it.
    • **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
    • **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds).
    • **Download started**: The update has begun downloading on the device.
    • **Download Succeeded**: The update has successfully completed downloading.
    • **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
    • **Install Started**: Installation of the update has begun.
    • **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
    • **Reboot Pending**: The device has a scheduled reboot to apply the update.
    • **Reboot Initiated**: The scheduled reboot has been initiated.
    • **Commit**: Changes are being committed post-reboot. This is another step of the installation process.
    • **Update Completed**: The update has successfully installed.| +|**ExpectedInstallDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. | +|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. | +|**OriginBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build currently installed on the device. | +|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`719` |The revision of the OSBuild installed on the device. | +|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. | +|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | +|**PauseState** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
    •  **Expired**: The pause period has expired.
    •  **NotConfigured**: Pause is not configured.
    •  **Paused**: The device was last reported to be pausing this content type.
    •  **NotPaused**: The device was last reported to not have any pause on this content type. | +|**RecommendedAction** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The recommended action to take in the event this device needs attention, if any. | +|**ReleaseName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`KB4551762` |The KB Article corresponding to the TargetOSRevision, if any. | +|**TargetBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The target OSBuild, the update being installed or considered as part of this WaaSDeploymentStatus record. | +|**TargetOSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The target OSVersion. | +|**TargetOSRevision** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |The target OSRevisionNumber. | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. | +|**UpdateCategory** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Quality` |The high-level category of content type this Windows Update belongs to. Possible values are **Feature** and **Quality**. | +|**UpdateClassification** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Security` |Similar to UpdateCategory, this more specifically determines whether a Quality update is a security update or not. | +|**UpdateReleasedDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the time the update came available on Windows Update. | diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md new file mode 100644 index 0000000000..2ddf505e62 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md @@ -0,0 +1,35 @@ +--- +title: Update Compliance Schema - WaaSInsiderStatus +ms.reviewer: +manager: laurawi +description: WaaSInsiderStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WaaSInsiderStatus + +WaaSInsiderStatus records contain device-centric data and acts as the device record for devices on Windows Insider Program builds in Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. Insider devices have fewer fields than [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md). + + +|Field |Type |Example |Description | +|--|--|---|--| +|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). | +|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. | +|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | +|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). | +|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. | +|**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. | +|**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. | +|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. | +|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". | diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md new file mode 100644 index 0000000000..0b5adb4096 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md @@ -0,0 +1,46 @@ +--- +title: Update Compliance Schema - WaaSUpdateStatus +ms.reviewer: +manager: laurawi +description: WaaSUpdateStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WaaSUpdateStatus + +WaaSUpdateStatus records contain device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. + +|Field |Type |Example |Description | +|--|-|----|------------------------| +|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). | +|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Simple (99)` |The device's Delivery Optimization DownloadMode. To learn about possible values, see [Delivery Optimization Reference - Download mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) | +|**FeatureDeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The on-client Windows Update for Business Deferral Policy days.
      - **<0**: A value below 0 indicates the policy is disabled.
      - **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days.
      - **1+**: A value of 1 and above indicates the deferral setting, in days. | +|**FeaturePauseDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |*Deprecated* This provides the count of days left in a pause | +|**FeaturePauseState** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
    • **Expired**: The pause period has expired.
    • **NotConfigured**: Pause is not configured.
    • **Paused**: The device was last reported to be pausing this content type.
    • **NotPaused**: The device was last reported to not have any pause on this content type. | +|**QualityDeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The on-client Windows Update for Business Deferral Policy days.
    • **<0**: A value below 0 indicates the policy is disabled.
    • **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days.
    • **1+**: A value of 1 and above indicates the deferral setting, in days. | +|**QualityPauseDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |**Deprecated**. This provides the count of days left in a pause period.| +|**QualityPauseState** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Quality Updates.
    • **Expired**: The pause period has expired.
    • **NotConfigured**: Pause is not configured.
    • **Paused**: The device was last reported to be pausing this content type.
    • **NotPaused**: The device was last reported to not have any pause on this content type. | +|**NeedAttentionStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Indicates any reason a device needs attention; if empty, there are no [Device Issues](https://docs.microsoft.com/windows/deployment/update/update-compliance-need-attention#device-issues) for this device. | +|**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. | +|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | +|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). | +|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. | +|**OSCurrentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Current` |*Deprecated* Whether or not the device is on the latest Windows Feature Update available, as well as the latest Quality Update for that Feature Update. | +|**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. | +|**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. | +|**OSFeatureUpdateStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Up-to-date` |Indicates whether or not the device is on the latest available Windows 10 Feature Update. | +|**OSQualityUpdateStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Up-to-date` |Indicates whether or not the device is on the latest available Windows 10 Quality Update (for its Feature Update). | +|**OSSecurityUpdateStatus**|[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Up-to-date` |Indicates whether or not the device is on the latest available Windows 10 Quality Update **that is classified as containing security fixes**. | +|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. | +|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". | diff --git a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md new file mode 100644 index 0000000000..6aa934c711 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md @@ -0,0 +1,34 @@ +--- +title: Update Compliance Schema - WUDOAggregatedStatus +ms.reviewer: +manager: laurawi +description: WUDOAggregatedStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WUDOAggregatedStatus + +WUDOAggregatedStatus records provide information, across all devices, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), over the past 28 days. + +These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference). + +|Field |Type |Example |Description | +|-|-|-|-| +|**DeviceCount** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`9999` |Total number of devices in this aggregated record. | +|**BWOptPercent28Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 28-day basis. | +|**BWOptPercent7Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 7-day basis. | +|**BytesFromCDN** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization.| +|**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. | +|**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. | +|**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. | +|**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded.| +|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace.| diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md new file mode 100644 index 0000000000..f3d6dc0e2a --- /dev/null +++ b/windows/deployment/update/update-compliance-schema-wudostatus.md @@ -0,0 +1,57 @@ +--- +title: Update Compliance Schema - WUDOStatus +ms.reviewer: +manager: laurawi +description: WUDOStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# WUDOStatus + +> [!NOTE] +> Currently all location-based fields are not working properly. This is a known issue. + +WUDOStatus records provide information, for a single device, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), and other information to create more detailed reports and splice on certain common characteristics. + +These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference). + +|Field |Type |Example |Description | +|-|-|-|-| +|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). | +|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**City** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Approximate city device was in while downloading content, based on IP Address. | +|**Country** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Approximate country device was in while downloading content, based on IP Address. | +|**ISP** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The Internet Service Provider estimation. | +|**BWOptPercent28Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 28-day basis. | +|**BWOptPercent7Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 7-day basis. | +|**BytesFromCDN** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization. | +|**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. | +|**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. | +|**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. | +|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this content. | +|**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded. | +|**DOStatusDescription** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |A short description of DO's status, if any. | +|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. | +|**DownloadModeSrc** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Default` |The source of the DownloadMode configuration. | +|**GroupID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The DO Group ID. | +|**NoPeersCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) | |The number of peers this device interacted with. | +|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | +|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild.  | +|**PeerEligibleTransfers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |Total number of eligible transfers by Peers. | +|**PeeringStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`On` |The DO Peering Status | +|**PeersCannotConnectCount**|[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device was unable to connect to. | +|**PeersSuccessCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device successfully connected to. | +|**PeersUnknownCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers for which there is an unknown relation. | +|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". | +|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. | +|**TotalTimeForDownload** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`0:00:00` |The total time it took to download the content. | +|**TotalTransfers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The total number of data transfers to download this content. | + diff --git a/windows/deployment/update/update-compliance-schema.md b/windows/deployment/update/update-compliance-schema.md new file mode 100644 index 0000000000..2be2ac0e78 --- /dev/null +++ b/windows/deployment/update/update-compliance-schema.md @@ -0,0 +1,29 @@ +--- +title: Update Compliance Data Schema +ms.reviewer: +manager: laurawi +description: an overview of Update Compliance data schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Update Compliance Schema + +When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](https://docs.microsoft.com/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more. + +The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries). + +|Table |Category |Description | +|--|--|--| +|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. | +|[**WaaSInsiderStatus**](update-compliance-schema-waasinsiderstatus.md) |Device record |This table houses device-centric data specifically for devices enrolled to the Windows Insider Program. Devices enrolled to the Windows Insider Program do not currently have any WaaSDeploymentStatus records, so do not have Update Session data to report on update deployment progress. | +|[**WaaSDeploymentStatus**](update-compliance-schema-waasdeploymentstatus.md) |Update Session record |This table tracks a specific update on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. | +|[**WUDOStatus**](update-compliance-schema-wudostatus.md) |Delivery Optimization record |This table provides information, for a single device, on their bandwidth utilization across content types in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq). | +|[**WUDOAggregatedStatus**](update-compliance-schema-wudoaggregatedstatus.md) |Delivery Optimization record |This table aggregates all individual WUDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled to Delivery Optimization. | diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 47ea2040ed..b61cef1778 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -17,7 +17,7 @@ ms.topic: article # Use Update Compliance -In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Windows Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). +In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). Update Compliance: @@ -50,7 +50,7 @@ When you select this tile, you will be redirected to the Update Compliance works Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. -* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. +* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Microsoft Defender Antivirus. The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md deleted file mode 100644 index ebd7f7827f..0000000000 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Update Compliance - Windows Defender AV Status report -ms.reviewer: -manager: laurawi -description: an overview of the Windows Defender AV Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: deploy -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.author: jaimeo -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Defender AV Status - - -> [!IMPORTANT] -> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). - -![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) - -The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. - -> [!NOTE] -> Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). - -## Windows Defender AV Status sections -The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. - -The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. - -Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: -* **Signature out of date** devices are devices with a signature older than 14 days. -* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. -* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. -* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. -* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. - -## Windows Defender data latency -Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. - -## Related topics - -- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md new file mode 100644 index 0000000000..dbf94c9677 --- /dev/null +++ b/windows/deployment/update/update-policies.md @@ -0,0 +1,204 @@ +--- +title: Policies for update compliance, activity, and end-user experience +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Policies for update compliance, activity, and end-user experience +Keeping devices up to date is the best way to keep them working smoothly and securely. + +## Deadlines for update compliance + +You can control how strictly devices must reliably keep to your desired update schedule by using update deadline policies. Windows components adapt based on these deadlines. Also, they can make tradeoffs between user experience and velocity in order to meet your desired update deadlines. For example, they can prioritize user experience well before the +deadline approaches, and then prioritize velocity as the deadline nears, while still affording the user some control. + +### Deadlines + +Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709 +and late, a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**. + +The older policies started enforcing deadlines once the device reached a “restart pending” state for +an update. The new policy starts the countdown for the update installation deadline from when the +update is published plus any deferral. In addition, this policy includes a configurable grace period and the option +to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic +restarts for maximum update velocity). + +> [!IMPORTANT] +> If you use the new **Specify deadlines for automatic updates and restarts** setting in Windows 10, +> version 1903, you must disable the [older deadline policies](wufb-compliancedeadlines.md#prior-to-windows-10-version-1709) because they could conflict. + +We recommend you set deadlines as follows: +- Quality update deadline, in days: 3 +- Feature update deadline, in days: 7 +- +Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded +later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you +do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you +have kiosks or digital signage. + +While three days for quality updates and seven days for feature updates is our recommendation, you might decide +you want more or less, depending on your organization and its requirements, and this policy is configurable down +to a minimum of two days. + + +> [!IMPORTANT] +> If the device is unable to reach the Internet, it can't determine when Microsoft +> published the update, so it won't be able to enforce the deadline. Learn more about [low activity devices](#device-activity-policies). + +### Grace periods + +You can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This +is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not +be forced to update immediately when the user returns. + +We recommend you set the following: + +- Grace period, in days: 2 + +Once the deadline and grace period have passed, updates are applied automatically, and a restart occurs +regardless of [active hours](#active-hours). + + +### Let Windows choose when to restart + +Windows can use user interactions to dynamically identify the least disruptive time for an +automatic restart. To take advantage of this feature, ensure **ConfigureDeadlineNoAutoReboot** is set to +**Disabled**. + +## Device activity policies + +Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two +of continuous activity, in order to successfully complete a system update. The device could have other +physical circumstances that prevent successful installation of an update--for example, if a laptop is running low +on battery power, or the user has shut down the device before active hours end and the device cannot comply +with the deadline. + +You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period. + +### Active hours + +"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of +these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user’s activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update. + +> [!IMPORTANT] +> If you used the **Configure Active Hours** setting in previous versions of Windows 10, these +options must be **Disabled** in order to take advantage of intelligent active hours. + +If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update +velocity: + +- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it’s possible to set the system to delay restarts for users who are logged +in, this might delay an update indefinitely if a user is always either logged in or shut down. Instead, we +recommend setting the following polices to **Disabled**: + - **Turn off auto-restart during active hours** + - **No auto-restart with logged on users for scheduled automatic updates** + + - [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users will receive notifications that +updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user’s ability to delay a restart outside of compliance deadline settings. + +- **Do not allow users to approve updates and reboots**. Letting users approve or engage with the update process outside of the deadline policies decreases update velocity and increases risk. These policies should be set to **Disabled**: + - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) + - [Update/EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadline) + - [Update/EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadlineforfeatureupdates) + - [Update/EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozeschedule) + - [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozescheduleforfeatureupdates) + - [Update/EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule) + +- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you’re using Microsoft Intune, setting the value to [Reset to Default](https://docs.microsoft.com/mem/intune/protect/windows-update-settings#user-experience-settings). +- **Allow auto Windows Update to download over metered networks**. Since more and more devices primarily use cellular data and do not have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting does not allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they are connected to the internet or not, provided they have cellular service. + +> [!IMPORTANT] +> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies: +>- [Configure active hours](waas-restart.md#configure-active-hours). Starting with Windows 10, version 1703, you can specify a maximum active-hour range which is counted from the active hours start time. We recommend setting +this value to **10**. +>- [Schedule update installation](waas-restart.md#schedule-update-installation). In the **Configure Automatic Updates** settings, there are two ways to control a forced restart after a specified installation time. If you use **schedule update installation**, do not enable both settings because they will most likely conflict. +> - **Specify automatic maintenance time**. This setting lets you set broader maintenance windows for updates and ensures that this schedule does not conflict with active hours. We +recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in the middle of the work shift, pick another time that is at least a couple hours before your scheduled work time begins. +> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours. + +### Power policies + +Devices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs: + +To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update. + +You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours. + +> [!NOTE] +> One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode. + +We recommend these power management settings: + +- Sleep mode (S1 or S0 Low Power Idle or [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby)). When a device is in sleep mode, the system +appears to be off but if an update is available, it can wake the device up in order to take an update. The +power consumption in sleep mode is between working (system fully usable) and hibernate (S4 - lowest +power level before shutdown). When a device is not being used, the system will generally move to sleep +mode before it goes to hibernate. Issues in velocity arise when the time between sleep and hibernate is +too short and Windows does not have time to complete an update. Sleep mode is an important setting +because the system can wake the system from sleep in order to start the update process, as long as there +is enough power. + +Set the following policies to **Enable** or **Do Not Configure** in order to allow the device to use sleep mode: +- [Power/AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +Set the following policies to **1 (Sleep)** so that when a user closes the lid of a device, the system goes to +sleep mode and the device has an opportunity to take an update: +- [Power/SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +- **Hibernate**. When a device is hibernating, power consumption is very low and the system cannot wake up +without user intervention, like pressing the power button. If a device is in this state, it cannot be updated +unless it supports an ACPI Time and Alarm Device (TAD). That said, if a device supporting Traditional Sleep +(S3) is plugged in, and a Windows update is available, a hibernate state will be delayed until the update is complete. + +> [!NOTE] +> This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running `powercfg /a` at a command prompt. For more, see [Powercfg options](https://docs.microsoft.com/windows-hardware/design/device-experiences/powercfg-command-line-options#option_availablesleepstates). + +The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation: + +- [Power/HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutpluggedin) + +## Old or conflicting policies + +Each release of Windows 10 can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions. + +> [!IMPORTANT] +> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are +> using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface. + +As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected. + +> [!IMPORTANT] +> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up: +> - Windows updates: Group Policy settings take precedence over MDM. +> - Microsoft Intune: If you set different values for the same policy on two different groups, you will +> receive an alert and neither policy will be set until the conflict is resolved. +> It is crucial that you disable conflicting policies in order for devices in your organization to take updates as +> expected. For example, if a device is not reacting to your MDM policy changes, check to see if a similar +> policy is set in Group Policy with a differing value. +> If you find that update velocity is not as high as you expect or if some devices are slower than others, it might be +> time to clear all polices and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended polices. + +The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict: +- **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no +deferral) so that the feature update can complete and monthly security updates will be offered again. Even if there is an urgent quality update that must be quickly deployed, it is best to use **Pause Feature +Updates** rather than setting a deferral policy. You can choose a longer period if you don't want to stay up to date with the latest feature update. +- **Defer Quality Updates Period in Days**. To minimize risk and maximize update velocity, the maximum time you might want to consider while evaluating the update with a different ring of devices is two to three days. +- **Pause Feature Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Deadline No Auto Reboot**. Default is **Disabled – Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart. + +There are additional policies are no longer supported or have been superseded. diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 0c96d3ba90..d25d48f473 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -99,9 +99,9 @@ In cases where the pause policy is first applied after the configured start date | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for Windows 10, version 1607 and later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
      **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | +| GPO for Windows 10, version 1607 and later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
      **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | | GPO for Windows 10, version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for Windows 10, version 1607 and later:
      ../Vendor/MSFT/Policy/Config/Update/
      **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
      **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | +| MDM for Windows 10, version 1607 and later:
      ../Vendor/MSFT/Policy/Config/Update/
      **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
      **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime | | MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. @@ -223,10 +223,10 @@ The following are quick-reference tables of the supported policy values for Wind | BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
      4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
      8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
      16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel
      32: systems take Feature Updates from Semi-annual Channel
      Note: Other value or absent: receive all applicable updates | | DeferQualityUpdates | REG_DWORD | 1: defer quality updates
      Other value or absent: don’t defer quality updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
      Other value or absent: don’t pause quality updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
      Other value or absent: don’t pause quality updates | |DeferFeatureUpdates | REG_DWORD | 1: defer feature updates
      Other value or absent: don’t defer feature updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartDate | REG_DWORD |1: pause feature updates
      Other value or absent: don’t pause feature updates | +| PauseFeatureUpdatesStartTime | REG_DWORD |1: pause feature updates
      Other value or absent: don’t pause feature updates | | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
      Other value or absent: offer Windows Update drivers | @@ -236,9 +236,9 @@ The following are quick-reference tables of the supported policy values for Wind | --- | --- | --- | | BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
      4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
      8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
      16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel
      32: systems take Feature Updates from Semi-annual Channel
      Note: Other value or absent: receive all applicable updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
      Other value or absent: don’t pause quality updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
      Other value or absent: don’t pause quality updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartDate | REG_DWORD | 1: pause feature updates
      Other value or absent: don’t pause feature updates | +| PauseFeatureUpdatesStartTime | REG_DWORD | 1: pause feature updates
      Other value or absent: don’t pause feature updates | | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
      Other value or absent: offer Windows Update drivers | ## Update devices to newer versions diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index e7d8d21550..b4bb57aef5 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -110,7 +110,7 @@ Download mode dictates which download sources clients are allowed to use when do | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | +|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | >[!NOTE] >Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group. @@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. -[//]: # (SCCM Boundary Group option; GroupID Source policy) +[//]: # (Configuration Manager boundary group option; GroupID Source policy) >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) @@ -135,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index ac14bcf549..584aa81202 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -35,6 +35,9 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se >[!NOTE] >These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set. +> [!NOTE] +> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](https://docs.microsoft.com/mem/intune/configuration/delivery-optimization-settings). + Quick-reference table: | Use case | Policy | Recommended value | Reason | @@ -66,6 +69,9 @@ To do this in Group Policy go to **Configuration\Policies\Administrative Templat To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. +> [!NOTE] +> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). + ### Large number of mobile devices @@ -122,6 +128,8 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** | PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | | ExpireOn | The target expiration date and time for the file. | | Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | + +Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: @@ -139,7 +147,9 @@ Using the `-Verbose` option returns additional information: - Bytes from CDN (the number of bytes received over HTTP) - Average number of peer connections per download  -Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. +Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers. + +Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. @@ -166,6 +176,30 @@ You can now "pin" files to keep them persistent in the cache. You can only do th #### Work with Delivery Optimization logs +**Starting in Windows 10, version 2004:** + +`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` + +With no options, this cmdlet returns these data: + +- total number of files +- number of foreground files +- minimum file size for it to be cached +- number of eligible files +- number of files with peers +- number of peering files [how different from the above?] +- overall efficiency +- efficiency in the peered files + +Using the `-ListConnections` option returns these detauls about peers: + +- destination IP address +- peer type +- status code +- bytes sent +- bytes received +- file ID + **Starting in Windows 10, version 1803:** `Get-DeliveryOptimizationLog [-Path ] [-Flush]` diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 9de80024c2..d39db925b7 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -32,6 +32,15 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. +## New in Windows 10, version 2004 + +- Enterprise network throttling: new settings have been added in Group Policy and MDM to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface: + +![absolute bandwidth settings in delivery optimization interface](images/DO-absolute-bandwidth.png) + +- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#microsoft-connected-cache). + + ## Requirements The following table lists the minimum Windows 10 version that supports Delivery Optimization: @@ -54,11 +63,16 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Defender definition updates | 1511 | | Office Click-to-Run updates | 1709 | | Win32 apps for Intune | 1709 | -| SCCM Express Updates | 1709 + Configuration Manager version 1711 | +| Office installations and updates | 2004 | +| Xbox game pass games | 2004 | +| MSIX apps (HTTP downloads only) | 2004 | +| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | + +> [!NOTE] +> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). + - @@ -124,6 +138,30 @@ For the payloads (optional): **How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). +**How does Delivery Optimization handle VPNs?** +Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + +If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + +If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. + +With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints: + +Delivery Optimization service endpoint: +- `https://*.prod.do.dsp.mp.microsoft.com` + +Delivery Optimization metadata: +- `http://emdl.ws.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` + +Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + +- `http://*.windowsupdate.com` +- `https://*.delivery.mp.microsoft.com` +- `https://*.update.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + +For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). ## Troubleshooting diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 0e9f6ba908..e0d6464259 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -1,5 +1,5 @@ --- -title: Deploy updates using Windows Update for Business (Windows 10) +title: Windows Update for Business (Windows 10) ms.reviewer: manager: laurawi description: Windows Update for Business lets you manage when devices received updates from Windows Update. @@ -11,24 +11,118 @@ ms.author: jaimeo ms.topic: article --- -# Deploy updates using Windows Update for Business +# What is Windows Update for Business? **Applies to** - Windows 10 -- Windows Server 2016 -- Windows Server 2019 -Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro for Workstation, and Education editions. + +Windows Update for Business is a free service that is available for all premium editions including Windows 10 Pro, Enterprise, Pro for Workstation, and Education editions. > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. +Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. -Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization as well as a positive update experience for those within your organization. +Specifically, Windows Update for Business allows for control over update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization as well as a positive update experience for those in your organization. + +## What can I do with Windows Update for Business? + +Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them. + +You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as a variety of other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy). + + +### Manage deployment of Windows Updates +By using Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deployment to devices in your organization in waves. + +### Manage which updates are offered +Windows Update for Business enables an IT administrator to receive and manage a variety of different types of Windows Updates. + +## Types of updates managed by Windows Update for Business + +Windows Update for Business provides management policies for several types of updates to Windows 10 devices: + +- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. +- **Quality updates:** These are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. +- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. +- **Microsoft product updates**: These are updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies. + + +## Offering +You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. + +### Manage when updates are offered +You can defer or pause the installation of updates for a set period of time. + +#### Enroll in pre-release updates + +The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: + +- Windows Insider Fast +- Windows Insider Slow +- Windows Insider Release Preview +- Semi-annual Channel + +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days are calculated against a release’s Semi-annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. + +#### Defer an update + +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy. + + +|Category |Maximum deferral period | +|---------|---------| +|Feature updates | 365 days | +|Quality updates | 30 days | +|Non-deferrable | none | + + + +#### Pause an update + +If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. +If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. + +To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). + +Built in benefits: +When updating from Windows Update you get the added benefits of built in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. + +### Recommendations + +For the best experience with Windows Update, follow these guidelines: + +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. + +### Manage the end-user experience when receiving Windows Updates + +Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for those in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's usually better to use fewer controls to manage the end-user experience. + +#### Recommended experience settings + +Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: + +1. Automatically download, install and restart (default if no restart policies are set up or enabled) +2. Use the default notifications +3. Set update deadlines + +##### Setting deadlines + +A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates. + +This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. + + + + + 0x$("{0:X16}" -f $LibHandle.ToInt64())" Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())" } @@ -450,7 +452,7 @@ function Instantiate-HSTI { $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize) [byte[]]$blob = New-Object byte[] $blobByteSize - [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount + [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize) $string = $null $blob | foreach { $string = $string + $_.ToString("X2")+"," } @@ -479,7 +481,7 @@ function Instantiate-HSTI { LogAndConsoleError $ErrorMessage $DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null } - else + else { LogAndConsoleWarning $ErrorMessage $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null @@ -487,9 +489,9 @@ function Instantiate-HSTI { } } - catch + catch { - LogAndConsoleError $_.Exception.Message + LogAndConsoleError $_.Exception.Message LogAndConsoleError "Instantiate-HSTI failed" } } @@ -613,10 +615,10 @@ function ExecuteCommandAndLog($_cmd) $CmdOutput = Invoke-Expression $_cmd | Out-String Log "Output: $CmdOutput" } - catch + catch { Log "Exception while exectuing $_cmd" - Log $_.Exception.Message + Log $_.Exception.Message } @@ -676,7 +678,7 @@ function CheckDriverCompat verifier.exe /flags 0x02000000 /all /log.code_integrity LogAndConsole "Enabling Driver Verifier and Rebooting system" - Log $verifier_state + Log $verifier_state LogAndConsole "Please re-execute this script after reboot...." if($AutoReboot) { @@ -692,7 +694,7 @@ function CheckDriverCompat else { LogAndConsole "Driver verifier already enabled" - Log $verifier_state + Log $verifier_state ListDrivers($verifier_state.Trim().ToLowerInvariant()) } } @@ -700,23 +702,23 @@ function IsDomainController { $_isDC = 0 $CompConfig = Get-WmiObject Win32_ComputerSystem - foreach ($ObjItem in $CompConfig) + foreach ($ObjItem in $CompConfig) { $Role = $ObjItem.DomainRole Log "Role=$Role" - Switch ($Role) + Switch ($Role) { 0 { Log "Standalone Workstation" } 1 { Log "Member Workstation" } 2 { Log "Standalone Server" } 3 { Log "Member Server" } - 4 + 4 { Log "Backup Domain Controller" $_isDC=1 break } - 5 + 5 { Log "Primary Domain Controller" $_isDC=1 @@ -735,7 +737,7 @@ function CheckOSSKU Log "OSNAME:$osname" $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home") $HLKAllowed = @("microsoft windows 10 pro") - foreach ($SKUent in $SKUarray) + foreach ($SKUent in $SKUarray) { if($osname.ToString().Contains($SKUent.ToLower())) { @@ -762,7 +764,7 @@ function CheckOSSKU } ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f ' } - else + else { LogAndConsoleError "This PC edition is Unsupported for Device Guard" $DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null @@ -773,14 +775,14 @@ function CheckOSSKU function CheckOSArchitecture { $OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower() - Log $OSArch - if($OSArch.Contains("64-bit")) + Log $OSArch + if($OSArch -match ("^64\-?\s?bit")) { - LogAndConsoleSuccess "64 bit archictecture" + LogAndConsoleSuccess "64 bit architecture" } - elseif($OSArch.Contains("32-bit")) + elseif($OSArch -match ("^32\-?\s?bit")) { - LogAndConsoleError "32 bit archictecture" + LogAndConsoleError "32 bit architecture" $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null } else @@ -878,7 +880,7 @@ function CheckTPM function CheckSecureMOR { $isSecureMOR = CheckDGFeatures(4) - Log "isSecureMOR= $isSecureMOR " + Log "isSecureMOR= $isSecureMOR " if($isSecureMOR -eq 1) { LogAndConsoleSuccess "Secure MOR is available" @@ -904,7 +906,7 @@ function CheckSecureMOR function CheckNXProtection { $isNXProtected = CheckDGFeatures(5) - Log "isNXProtected= $isNXProtected " + Log "isNXProtected= $isNXProtected " if($isNXProtected -eq 1) { LogAndConsoleSuccess "NX Protector is available" @@ -921,7 +923,7 @@ function CheckNXProtection function CheckSMMProtection { $isSMMMitigated = CheckDGFeatures(6) - Log "isSMMMitigated= $isSMMMitigated " + Log "isSMMMitigated= $isSMMMitigated " if($isSMMMitigated -eq 1) { LogAndConsoleSuccess "SMM Mitigation is available" @@ -938,15 +940,15 @@ function CheckSMMProtection function CheckHSTI { LogAndConsole "Copying HSTITest.dll" - try + try { $HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded) [System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded) } - catch + catch { - LogAndConsole $_.Exception.Message + LogAndConsole $_.Exception.Message LogAndConsole "Copying and loading HSTITest.dll failed" } @@ -959,7 +961,7 @@ function PrintToolVersion LogAndConsole "" LogAndConsole "###########################################################################" LogAndConsole "" - LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." + LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." LogAndConsole "" LogAndConsole "###########################################################################" LogAndConsole "" @@ -1030,7 +1032,7 @@ if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -a } $user = [Security.Principal.WindowsIdentity]::GetCurrent(); -$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) +$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) if(!$TestForAdmin) { @@ -1065,7 +1067,7 @@ if($Ready) { Log "_CGState: $_CGState" PrintCGDetails $_CGState - + if($_CGState) { ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f' @@ -1077,28 +1079,28 @@ if($Ready) } elseif($DG) { - Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" + Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState + PrintConfigCIDetails $_ConfigCIState if($_ConfigCIState -and $_HVCIState) { LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running." - + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f' } else { LogAndConsoleWarning "Not all services are running." - + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f' } } - else + else { - Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - + Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" + PrintCGDetails $_CGState PrintHVCIDetails $_HVCIState PrintConfigCIDetails $_ConfigCIState @@ -1147,7 +1149,7 @@ if($Enable) { ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f' } - else + else { ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f' @@ -1158,8 +1160,8 @@ if($Enable) { if(!$HVCI -and !$CG) { - if(!$SIPolicyPath) - { + if(!$SIPolicyPath) + { Log "Writing Decoded SIPolicy.p7b" $SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded) [System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded) @@ -1182,7 +1184,7 @@ if($Enable) if(!$_isRedstone) { LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately" - #Enable/Disable IOMMU seperately + #Enable/Disable IOMMU separately ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart' } $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String @@ -1251,7 +1253,7 @@ if($Disable) if(!$_isRedstone) { LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately" - #Enable/Disable IOMMU seperately + #Enable/Disable IOMMU separately ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart' } $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String @@ -1270,7 +1272,7 @@ if($Disable) } #set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS - #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always + #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always #this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS $FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random Log "FreeDrive=$FreeDrive" @@ -1314,7 +1316,7 @@ if($Capable) } $_StepCount = 1 if(!$CG) - { + { LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== " $_StepCount++ CheckDriverCompat @@ -1323,15 +1325,15 @@ if($Capable) LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== " $_StepCount++ CheckSecureBootState - + if(!$HVCI -and !$DG -and !$CG) - { + { #check only if sub-options are absent LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== " $_StepCount++ CheckHSTI } - + LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== " $_StepCount++ CheckOSArchitecture @@ -1345,11 +1347,11 @@ if($Capable) CheckVirtualization if(!$HVCI -and !$DG) - { + { LogAndConsole " ====================== Step $_StepCount TPM version ====================== " $_StepCount++ CheckTPM - + LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== " $_StepCount++ CheckSecureMOR @@ -1358,11 +1360,11 @@ if($Capable) LogAndConsole " ====================== Step $_StepCount NX Protector ====================== " $_StepCount++ CheckNXProtection - + LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== " $_StepCount++ CheckSMMProtection - + LogAndConsole " ====================== End Check ====================== " LogAndConsole " ====================== Summary ====================== " @@ -1371,7 +1373,6 @@ if($Capable) } - # SIG # Begin signature block ## REPLACE # SIG # End signature block diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png new file mode 100644 index 0000000000..ead9410405 Binary files /dev/null and b/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png differ diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index a3a94da88d..916d1cf629 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -299,7 +299,7 @@ This example configures the same as example 2 using compounding And elements. T #### Example 4 This example configures Wi-Fi as a trusted signal (Windows 10, version 1803) ``` - + contoso 12-ab-34-ff-e5-46 diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index 6bc04cd39f..01dffaef6d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -47,7 +47,8 @@ Windows Hello provides many benefits, including: ## Where is Windows Hello data stored? The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor. -Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file. +> [!NOTE] +>Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file. ## Has Microsoft set any device requirements for Windows Hello? We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index f42095fd31..a51e3b166f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -75,8 +75,9 @@ Sign-in the federation server with domain administrator equivalent credentials. 6. On the **Request Certificates** page, Select the **Internal Web Server** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. -9. Click **Enroll**. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. +9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished. +10. Click **Enroll**. A server authentication certificate should appear in the computer’s Personal certificate store. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 067d2d3504..3fc4c88711 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -150,7 +150,7 @@ Domain controllers automatically request a certificate from the domain controlle 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. 8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. 9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box. 11. Select the **Update certificates that use certificate templates** check box. 12. Click **OK**. Close the **Group Policy Management Editor**. diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 7d47fb49d1..fca4b7eaa6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -45,7 +45,7 @@ The statement "PIN is stronger than Password" is not directed at the strength of The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016. ## Can I use a convenience PIN with Azure AD? -It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises only Domain Joined users and local account users. +It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users. ## Can I use an external camera when my laptop is closed or docked? No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. @@ -64,11 +64,11 @@ The user experience for Windows Hello for Business occurs after user sign-in, af [Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) ## What happens when my user forgets their PIN? -If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider. +If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider. [Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience) -For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. +For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. ## What URLs do I need to allow for a hybrid deployment? Communicating with Azure Active Directory uses the following URLs: @@ -88,11 +88,12 @@ Windows Hello for Business has two types of PIN reset: non-destructive and destr Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. with destructive PIN reset, users that have forgotten their PIN can authenticate using their password, perform a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. ## Which is better or more secure: Key trust or Certificate trust? -The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware backed, two-factor credential. The difference between the two trust types are: +The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are: - Required domain controllers - Issuing end entity certificates The **key trust** model authenticates to Active Directory using a raw key. Windows Server 2016 domain controllers enables this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you do not need to issue certificates to your end users (domain controller certificates are still needed). + The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority. ## Do I need Windows Server 2016 domain controllers? @@ -102,7 +103,7 @@ There are many deployment options from which to choose. Some of those options re Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes. ## Is Windows Hello for Business multifactor authentication? -Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". +Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". ## What are the biometric requirements for Windows Hello for Business? Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index a1810a0b03..c2c8040070 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -1,6 +1,6 @@ --- title: Conditional Access -description: Learn more about conditional access in Azure Active Directory. +description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 0b01799ab2..33a9c450e1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -43,18 +43,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se ### Connect Azure Active Directory with the PIN reset service -1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant. -2. After you log in, click **Accept** to give consent for the PIN reset service to access your account. +1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. +2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) -3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant. -4. After you log in, click **Accept** to give consent for the PIN reset client to access your account. +3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. +4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. + +> [!NOTE] +> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. + ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) + 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) ->[!NOTE] ->After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant. - ### Configure Windows devices to use PIN reset using Group Policy You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. @@ -70,8 +72,8 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 #### Create a PIN Reset Device configuration profile using Microsoft Intune -1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. -2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
      +1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account. +2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.
      ``` dsregcmd /status | findstr -snip "tenantid" @@ -86,9 +88,9 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 #### Assign the PIN Reset Device configuration profile using Microsoft Intune -1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. -2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration. -3. In the device configuration profile, click **Assignments**. +1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. +2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. +3. In the device configuration profile, select **Assignments**. 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. ## On-premises Deployments diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index 4cbec54f34..e91ce1f65c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -63,11 +63,11 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | -| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| +| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in.| |B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| |C | For the managed environment, the task creates an initial authentication credential in the form of a self-signed certificate. The task write the certificate to the userCertificate attribute on the computer object in Active Directory using LDAP. |D |The computer cannot authenticate to Azure DRS until a device object representing the computer that includes the certificate on the userCertificate attribute is created in Azure Active Directory. Azure AD Connect detects an attribute change. On the next synchronization cycle, Azure AD Connect sends the userCertificate, object GUID, and computer SID to Azure DRS. Azure DRS uses the attribute information to create a device object in Azure Active Directory.| -|E | The Automatic Device Join task triggers with each user sign-in and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.| +|E | The Automatic Device Join task triggers with each user sign-in or every hour, and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.| |F | The task creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| |G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.| |H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| @@ -78,7 +78,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | -| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| +| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in. | |B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| |C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. |D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index de0d46631b..528c1b6fe8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -18,16 +18,23 @@ ms.reviewer: # How Windows Hello for Business works **Applies to** + - Windows 10 -Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. +Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] ## Technical Deep Dive + Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business. +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work. + +> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] +> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] + - [Technology and Terminology](hello-how-it-works-technology.md) - [Device Registration](hello-how-it-works-device-registration.md) - [Provisioning](hello-how-it-works-provisioning.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 54e4021adc..ae11903279 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -33,6 +33,7 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing - Certificate Revocation List (CRL) Distribution Point (CDP) - 2016 Domain Controllers - Domain Controller certificate +- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution. ### Azure Active Directory Connect synchronization Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect). @@ -154,6 +155,9 @@ These procedures configure NTFS and share permissions on the web server to allow ![CDP Share Permissions](images/aadj/cdp-share-permissions.png) 9. In the **Advanced Sharing** dialog box, click **OK**. +> [!Tip] +> Make sure that users can access **\\\Server FQDN\sharename**. + #### Disable Caching 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. @@ -290,6 +294,8 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. +> [!NOTE] +> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. ## Configure Windows Hello for Business Device Enrollment @@ -325,6 +331,9 @@ Sign-in a workstation with access equivalent to a _domain user_. 14. Click **Save** 15. Sign-out of the Azure portal. +> [!IMPORTANT] +> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication). + ## Section Review > [!div class="checklist"] > * Configure Internet Information Services to host CRL distribution point diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 54f37c9b50..1df6239643 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -644,28 +644,28 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Select **Device Configuration**, and then click **Profiles**. 4. Select **Create Profile**. ![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png) -5. Next to **Name**, type **WHFB Certificate Enrollment**. -6. Next to **Description**, provide a description meaningful for your environment. -7. Select **Windows 10 and later** from the **Platform** list. -8. Select **SCEP certificate** from the **Profile** list. - ![WHFB Scep Profile Blade](images/aadjcert/intunewhfbscepprofile-00.png) -9. The **SCEP Certificate** blade should open. Configure **Certificate validity period** to match your organization. +5. Select **Windows 10 and later** from the **Platform** list. +6. Choose **SCEP certificate** from the **Profile** list, and select **Create**. +7. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. +8. Next to **Description**, provide a description meaningful for your environment, then select **Next**. +9. Select **User** as a certificate type. +10. Configure **Certificate validity period** to match your organization. > [!IMPORTANT] - > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. + > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. -10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. -11. Select **Custom** from the **Subject name format** list. -12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. -13. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value. -14. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. -15. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. +11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. +12. Select **Custom** from the **Subject name format** list. +13. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. +14. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value. +15. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. +16. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png) -16. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. -17. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. +17. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. +18. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) -18. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. -19. Click **OK**. -20. Click **Create**. +19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. +20. Click **Next**. +21. Click **Next** two more times to skip the **Scope tags** and **Assignments** steps of the wizard and click **Create**. ### Assign Group to the WHFB Certificate Enrollment Certificate Profile Sign-in a workstation with access equivalent to a _domain user_. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index be3bc06968..328c9513bf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -19,7 +19,7 @@ ms.reviewer: # Configure Windows Hello for Business: Active Directory Federation Services **Applies to** -- Windows10, version 1703 or later +- Windows 10, version 1703 or later - Hybrid deployment - Certificate trust @@ -36,15 +36,14 @@ The Windows Hello for Business Authentication certificate template is configured Sign-in the AD FS server with *Domain Admin* equivalent credentials. 1. Open a **Windows PowerShell** prompt. -2. Type the following command +2. Enter the following command: ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true ``` - ->[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + >[!NOTE] + > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. ### Group Memberships for the AD FS Service Account @@ -66,8 +65,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva ### Section Review > [!div class="checklist"] -> * Configure the registration authority -> * Update group memberships for the AD FS service account +> * Configure the registration authority. +> * Update group memberships for the AD FS service account. > > > [!div class="step-by-step"] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 16c17aa3f9..7576402a17 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -16,19 +16,20 @@ localizationpriority: medium ms.date: 10/23/2017 ms.reviewer: --- + # Configure Hybrid Windows Hello for Business: Directory Synchronization **Applies to** - Windows 10, version 1703 or later - Hybrid deployment -- Certificate trust +- Key trust ## Directory Synchronization -In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. -The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. +The key-trust model needs Windows Server 2016 domain controllers, which configure the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. > [!IMPORTANT] > If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use the pre-created group KeyAdmins in step 3 of the "Group Memberships for the Azure AD Connect Service Account" section of this article. @@ -45,12 +46,12 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv 6. In the **Applies to** list box, select **Descendant User objects**. 7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. 8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**. -9. Click **OK** three times to complete the task. +9. Click **OK** three times to complete the task. ### Group Memberships for the Azure AD Connect Service Account -The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. +The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. @@ -61,12 +62,15 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. +> [!NOTE] +> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. + ### Section Review > [!div class="checklist"] > * Configure Permissions for Key Synchronization > * Configure group membership for Azure AD Connect -> +> > [!div class="step-by-step"] > [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) > [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index c7b2eca8b7..3cb290695f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,6 +1,6 @@ --- title: Windows Hello for Business Key Trust New Installation -description: Learn how to perform a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations. +description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations. keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 ms.mktglfcycl: deploy @@ -122,11 +122,9 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co > > If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. -#### Azure MFA Provider -If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. #### Configure Azure MFA Settings -Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. +Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. #### Azure MFA User States After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 0977f9b6a8..314df80eac 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -37,7 +37,7 @@ You are ready to configure device registration for your hybrid environment. Hybr ## Configure Azure for Device Registration Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. -To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/) +To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/). Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark. @@ -49,7 +49,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. Configure Azure Device Registration (*You are here*) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 016bf3f7d8..0f6cbee626 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -63,15 +63,15 @@ The Windows Hello for Business deployment depends on an enterprise public key in Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. +The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca). * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. -* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). +* The certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. -* The certificate template must have an extension that has the BMP data value "DomainController". +* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. * The domain controller certificate must be installed in the local computer's certificate store. @@ -102,8 +102,8 @@ Organizations using older directory synchronization technology, such as DirSync
      -## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +## Federation with Azure +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. > [!div class="checklist"] > * Non-federated environments diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index bbe8176263..87b70bbd2c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -80,8 +80,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. ->[!NOTE] ->The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. +> [!NOTE] +> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. ### Publish Certificate Templates to a Certificate Authority diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index c9213a887f..18f6f3dbf0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -15,40 +15,42 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 10/18/2017 +ms.date: 4/16/2017 --- # Manage Windows Hello for Business in your organization **Applies to** -- Windows 10 +- Windows 10 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. >[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. +>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. > ->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. +>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. > >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business. - + ## Group Policy settings for Windows Hello for Business -The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. +The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. > [!NOTE] > Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**. - + + + @@ -56,15 +58,41 @@ The following table lists the Group Policy settings that you can configure for W + + + + + + + + + + + + + + + + + + + + + - - + + - + @@ -215,7 +215,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
      PolicyScope Options
      Use Windows Hello for Business Computer or user -

      Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

      +

      Not configured: Device does not provision Windows Hello for Business for any user.

      Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

      Disabled: Device does not provision Windows Hello for Business for any user.

      Use a hardware security device Computer

      Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

      -

      Enabled: Windows Hello for Business will only be provisioned using TPM.

      +

      Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.

      Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
      Use certificate for on-premises authenticationComputer or user +

      Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication.

      +

      Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.

      +

      Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.

      +
      Use PIN recoveryComputer +

      Added in Windows 10, version 1703

      +

      Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

      +

      Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

      +

      Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

      +

      + +For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md). +

      +
      Use biometrics Computer

      Not configured: Biometrics can be used as a gesture in place of a PIN.

      Enabled: Biometrics can be used as a gesture in place of a PIN.

      @@ -74,6 +102,7 @@ The following table lists the Group Policy settings that you can configure for W
      PIN Complexity Require digitsComputer

      Not configured: Users must include a digit in their PIN.

      Enabled: Users must include a digit in their PIN.

      @@ -82,6 +111,7 @@ The following table lists the Group Policy settings that you can configure for W
      Require lowercase lettersComputer

      Not configured: Users cannot use lowercase letters in their PIN.

      Enabled: Users must include at least one lowercase letter in their PIN.

      @@ -90,6 +120,7 @@ The following table lists the Group Policy settings that you can configure for W
      Maximum PIN lengthComputer

      Not configured: PIN length must be less than or equal to 127.

      Enabled: PIN length must be less than or equal to the number you specify.

      @@ -98,6 +129,7 @@ The following table lists the Group Policy settings that you can configure for W
      Minimum PIN lengthComputer

      Not configured: PIN length must be greater than or equal to 4.

      Enabled: PIN length must be greater than or equal to the number you specify.

      @@ -106,6 +138,7 @@ The following table lists the Group Policy settings that you can configure for W
      ExpirationComputer

      Not configured: PIN does not expire.

      Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.

      @@ -114,6 +147,7 @@ The following table lists the Group Policy settings that you can configure for W
      HistoryComputer

      Not configured: Previous PINs are not stored.

      Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.

      @@ -124,6 +158,7 @@ The following table lists the Group Policy settings that you can configure for W
      Require special charactersComputer

      Not configured: Users cannot include a special character in their PIN.

      Enabled: Users must include at least one special character in their PIN.

      @@ -132,6 +167,7 @@ The following table lists the Group Policy settings that you can configure for W
      Require uppercase lettersComputer

      Not configured: Users cannot include an uppercase letter in their PIN.

      Enabled: Users must include at least one uppercase letter in their PIN.

      @@ -139,9 +175,9 @@ The following table lists the Group Policy settings that you can configure for W
      >Phone Sign-in -

      Use Phone Sign-in

      +      		Phone Sign-inUse Phone Sign-inComputer

      Not currently supported.

      @@ -154,7 +190,7 @@ The following table lists the Group Policy settings that you can configure for W The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070). >[!IMPORTANT] ->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. +>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. @@ -166,7 +202,7 @@ The following table lists the MDM policy settings that you can configure for Win - + - + + + + + + + + + + + + + + + - + - + + + + + + + + + + + + + @@ -252,7 +336,7 @@ The following table lists the MDM policy settings that you can configure for Win @@ -261,29 +345,11 @@ The following table lists the MDM policy settings that you can configure for Win - - - - - - - - - - - -
      UsePassportForWork DeviceDevice or user True

      True: Windows Hello for Business will be provisioned for all users on the device.

      @@ -178,7 +214,7 @@ The following table lists the MDM policy settings that you can configure for Win
      RequireSecurityDevice DeviceDevice or user False

      True: Windows Hello for Business will only be provisioned using TPM.

      @@ -186,6 +222,32 @@ The following table lists the MDM policy settings that you can configure for Win
      ExcludeSecurityDeviceTPM12DeviceFalse +

      Added in Windows 10, version 1703

      +

      True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.

      +

      False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.

      +
      EnablePinRecoveryDevice or userFalse +

      Added in Windows 10, version 1703

      +

      True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

      +

      False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

      +

      + +For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md). +

      +
      Biometrics

      UseBiometrics

      @@ -216,19 +278,41 @@ The following table lists the MDM policy settings that you can configure for Win
      Digits Device or user2 1 -

      1: Numbers are not allowed.

      -

      2: At least one number is required.

      +

      0: Digits are allowed.

      +

      1: At least one digit is required.

      +

      2: Digits are not allowed.

      Lowercase letters Device or user1 2 -

      1: Lowercase letters are not allowed.

      -

      2: At least one lowercase letter is required.

      +

      0: Lowercase letters are allowed.

      +

      1: At least one lowercase letter is required.

      +

      2: Lowercase letters are not allowed.

      +
      Special charactersDevice or user2 +

      0: Special characters are allowed.

      +

      1: At least one special character is required.

      +

      2: Special characters are not allowed.

      +
      Uppercase lettersDevice or user2 +

      0: Uppercase letters are allowed.

      +

      1: At least one uppercase letter is required.

      +

      2: Uppercase letters are not allowed.

      Device or user 0 -

      Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. +

      Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.

      Device or user 0 -

      Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. +

      Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.

      Special charactersDevice or user1 -

      1: Special characters are not allowed.

      -

      2: At least one special character is required.

      -
      Uppercase lettersDevice or user1 -

      1: Uppercase letters are not allowed

      -

      2: At least one uppercase letter is required

      -
      Remote

      UseRemotePassport

      @@ -297,20 +363,53 @@ The following table lists the MDM policy settings that you can configure for Win
      >[!NOTE] -> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN. - +> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN. + +## Policy conflicts from multiple policy sources + +Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. + +Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source. + +Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis. + +>[!NOTE] +> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. + +>Examples +> +>The following are configured using computer Group Policy: +> +>- Use Windows Hello for Business - Enabled +>- User certificate for on-premises authentication - Enabled +>- Require digits - Enabled +>- Minimum PIN length - 6 +> +>The following are configured using device MDM Policy: +> +>- UsePassportForWork - Disabled +>- UseCertificateForOnPremAuth - Disabled +>- MinimumPINLength - 8 +>- Digits - 1 +>- LowercaseLetters - 1 +>- SpecialCharacters - 1 +> +>Enforced policy set: +> +>- Use Windows Hello for Business - Enabled +>- Use certificate for on-premises authentication - Enabled +>- Require digits - Enabled +>- Minimum PIN length - 6d ## How to use Windows Hello for Business with Azure Active Directory -There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: +There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: -- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. -- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. +- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. +- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. - **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device. -If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. - - +If you want to use Windows Hello for Business with certificates, you'll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 24172f6859..9369ea8370 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -329,7 +329,7 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory. -Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies do. +Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) do. If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index d9ecb9798b..00eddf6eee 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -24,14 +24,33 @@ ms.reviewer: ## Overview of Windows Hello for Business and Features Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock + > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] +## Why PIN is more secure than a password + +Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password. + +> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA] + ## Microsoft's passwordless strategy Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less** > [!VIDEO https://www.youtube.com/embed/mXJS615IGLM] +## Windows Hello for Business Provisioning + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works. + +> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] + +## Windows Hello for Business Authentication + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. + +> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] + ## Windows Hello for Business user enrollment experience The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment. diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 375f2be134..d74bd61baa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -21,13 +21,18 @@ ms.date: 10/23/2017 # Why a PIN is better than a password **Applies to** + - Windows 10 Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password? On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works. +Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password. + +> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA] ## PIN is tied to the device + One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. @@ -44,7 +49,7 @@ When the PIN is created, it establishes a trusted relationship with the identity The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM. -User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised. +User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. @@ -54,10 +59,11 @@ The Windows Hello for Business PIN is subject to the same set of IT management p ## What if someone steals the laptop or phone? -To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. +To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins. **Configure BitLocker without TPM** + 1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup** @@ -72,7 +78,8 @@ You can provide additional protection for laptops that don't have TPM by enablin 2. Set the number of invalid logon attempts to allow, and then click OK. ## Why do you need a PIN to use biometrics? -Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. + +Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello. diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index a4029266dd..4e95da0531 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -143,13 +143,14 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png) 3. Under **Use the following restricted mode**: - - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used. + - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used. - > **Note:** Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > [!NOTE] + > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. - - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. + - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. - - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. + - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. 4. Click **OK**. diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index b6fab222d1..92c4d2b8c5 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -1,6 +1,6 @@ --- title: VPN connection types (Windows 10) -description: tbd +description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md new file mode 100644 index 0000000000..d067b5a21d --- /dev/null +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -0,0 +1,676 @@ +--- +title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client +description: tbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, networking +audience: ITPro +ms.topic: article +author: kelleyvice-msft +ms.localizationpriority: medium +ms.date: 04/07/2020 +ms.reviewer: +manager: dansimp +ms.author: jajo +--- + +# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client + +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. + +This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. + +> [!NOTE] +> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). + +## Solution Overview + +The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). + +Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). + +To enable the use of force tunneling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: + +```xml +ForceTunnel +``` + +In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `` section as follows: + +```xml + +
      [IP addresses or subnet]
      + [IP Prefix] + true +       +``` + +Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `` section for each required exclusion. + +An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below: + +```xml + + + ForceTunnel + + +
      203.0.113.0
      + 24 + true +       + +
      198.51.100.0
      + 22 + true +       +       +``` + +> [!NOTE] +> The IP addresses and prefix size values in this example are used purely as examples only and should not be used. + +## Solution Deployment + +For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling. + +This can be achieved manually by adding the IP addresses defined within the *optimize* category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. + +An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below. + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile +.DESCRIPTION + Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges + Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file) + Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name +.PARAMETERS + Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +param ( + [string]$VPNprofilefile +) + +$usage=@" + +This script uses the following parameters: + +VPNprofilefile - The full path and name of the VPN profile PowerShell script or XML file + +EXAMPLES + +To check a VPN profile PowerShell script file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF POWERSHELL SCRIPT FILE] + +To check a VPN profile XML file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE] + +"@ + +# Check if filename has been provided # +if ($VPNprofilefile -eq "") +{ + Write-Host "`nWARNING: You must specify either a PowerShell script or XML filename!" -ForegroundColor Red + + $usage + exit +} + +$FileExtension = [System.IO.Path]::GetExtension($VPNprofilefile) + +# Check if XML file exists and is a valid XML file # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + if ( Test-Path $VPNprofilefile ) + { + $xml = New-Object System.Xml.XmlDocument + try + { + $xml.Load((Get-ChildItem -Path $VPNprofilefile).FullName) + + } + catch [System.Xml.XmlException] + { + Write-Verbose "$VPNprofilefile : $($_.toString())" + Write-Host "`nWARNING: The VPN profile XML file is not a valid xml file or incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: VPN profile XML file does not exist or cannot be found!" -ForegroundColor Red + $usage + exit + } +} + +# Check if VPN profile PowerShell script file exists and contains a VPNPROFILE XML section # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + if ( (Test-Path $VPNprofilefile) ) + { + if (-Not $(Select-String -Path $VPNprofilefile -Pattern "") ) + { + Write-Host "`nWARNING: PowerShell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: PowerShell script file does not exist or cannot be found!"-ForegroundColor Red + $usage + exit + } +} + +# Define Office 365 endpoints and service URLs # +$ws = "https://endpoints.office.com" +$baseServiceUrl = "https://endpoints.office.com" + +# Path where client ID and latest version number will be stored # +$datapath = $Env:TEMP + "\endpoints_clientid_latestversion.txt" + +# Fetch client ID and version if data file exists; otherwise create new file # +if (Test-Path $datapath) +{ + $content = Get-Content $datapath + $clientRequestId = $content[0] + $lastVersion = $content[1] + +}else +{ + $clientRequestId = [GUID]::NewGuid().Guid + $lastVersion = "0000000000" + @($clientRequestId, $lastVersion) | Out-File $datapath +} + +# Call version method to check the latest version, and pull new data if version number is different # +$version = Invoke-RestMethod -Uri ($ws + "/version?clientRequestId=" + $clientRequestId) + +if ($version[0].latest -gt $lastVersion) +{ + + Write-Host + Write-Host "A new version of Office 365 worldwide commercial service instance endpoints has been detected!" -ForegroundColor Cyan + + # Write the new version number to the data file # + @($clientRequestId, $version[0].latest) | Out-File $datapath +} + +# Invoke endpoints method to get the new data # +$uri = "$baseServiceUrl" + "/endpoints/worldwide?clientRequestId=$clientRequestId" + +# Invoke endpoints method to get the data for the VPN profile comparison # +$endpointSets = Invoke-RestMethod -Uri ($uri) +$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" } +$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique + +# Temporarily include additional IP address until Teams client update is released +$optimizeIpsv4 += "13.107.60.1/32" + +# Process PowerShell script file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + Write-host "`nStarting PowerShell script exclusion route check...`n" -ForegroundColor Cyan + + # Clear Variables to allow re-run testing # + + $ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file # + $In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimize list # + $In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile PowerShell file # + + # Extract the Profile XML from the ps1 file # + + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with the optimize list # + + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNprofilexml=""+$xmlbody+"" + + # Loop through each address found in VPNPROFILE XML section # + foreach ($Route in $VPNprofilexml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimize address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [array]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + [int32]$insline=0 + + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match "") + { + $insline += $i # Record the position of the line after the NativeProfile section ends # + } + } + $OFS = "`r`n" + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $InpFile[$insline] += $OFS+" " + $InpFile[$insline] += $OFS+"
      "+$IPInfo[0].Trim()+"
      " + $InpFile[$insline] += $OFS+" "+$IPInfo[1].Trim()+"" + $InpFile[$insline] += $OFS+" true" + $InpFile[$insline] += $OFS+"       " + } + # Update fileName and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.ps1" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + +if ( $In_VPN_Only.Count -gt 0 ) +{ + Write-Host "Unknown exclusion route IP addresses have been found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $Outfile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr="
      "+$IPInfo[0].Trim()+"
      " + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + [int32]$insline=0 + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match $matchstr) + { + $insline += $i # Record the position of the line for the string match # + } + } + # Remove entries from XML # + $InpFile[$insline-1]="REMOVETHISLINE" + $InpFile[$insline]="REMOVETHISLINE" + $InpFile[$insline+1]="REMOVETHISLINE" + $InpFile[$insline+2]="REMOVETHISLINE" + $InpFile[$insline+3]="REMOVETHISLINE" + $InpFile=$InpFile | Where-Object {$_ -ne "REMOVETHISLINE"} + + # Update filename and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} + +# Process XML file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + Write-host "`nStarting XML file exclusion route check...`n" -ForegroundColor Cyan + + # Clear variables to allow re-run testing # + $ARRVPN=$null # Array to hold VPN addresses from the XML file # + $In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimize list # + $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file # + + # Extract the Profile XML from the XML file # + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with optimize list # + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNRulesxml="$xmlbody" + + # Loop through each address found in VPNPROFILE file # + foreach ($Route in $VPNRulesxml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimize address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [System.Collections.ArrayList]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $routes += "`n"+"`t
      "+$IPInfo[0].Trim()+"
      `n"+"`t"+$IPInfo[1].Trim()+"`n"+"`ttrue`n"+"      `n" + } + $inspoint = $Inpfile.IndexOf("      ") + $Inpfile.Insert($inspoint,$routes) + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate XML file; the original file has not been modified`n`n" -ForegroundColor Green + + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + + if ( $In_VPN_Only.Count -gt 0 ) + { + Write-Host "Unknown exclusion route IP addresses found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $OutFile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr=""+"
      "+$IPInfo[0].Trim()+"
      "+""+$IPInfo[1].Trim()+""+"true"+"      " + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + # Remove unknown IP address(es) # + $inspoint = $Inpfile[0].IndexOf($matchstr) + $Inpfile[0] = $Inpfile[0].Replace($matchstr,"") + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate XML file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} +``` + +## Version Support + +This solution is supported with the following versions of Windows: + +- Windows 10 1903/1909 and newer: Included, no action needed +- Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437) +- Windows 10 1709 and lower: Exclusion routes are not supported + +- Windows 10 Enterprise 2019 LTSC: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported +- Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported + +Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied. + +## Other Considerations + +You should also be able to adapt this approach to include necessary exclusions for other cloud-services that can be defined by known/static IP addresses; exclusions required for [Cisco WebEx](https://help.webex.com/WBX000028782/Network-Requirements-for-Webex-Teams-Services) or [Zoom](https://support.zoom.us/hc/en-us/articles/201362683) are good examples. + +## Examples + +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script: + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Configures an AlwaysOn IKEv2 VPN Connection using a basic script +.DESCRIPTION + Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunneling +.PARAMETERS + Parameters are defined in a ProfileXML object within the script itself +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +<#-- Define Key VPN Profile Parameters --#> +$ProfileName = 'Contoso VPN with Office 365 Exclusions' +$ProfileNameEscaped = $ProfileName -replace ' ', '%20' + +<#-- Define VPN ProfileXML --#> +$ProfileXML = ' + true + corp.contoso.com + true + corp.contoso.com + + edge1.contoso.com + ForceTunnel + IKEv2 + + Certificate + + + +
      13.107.6.152
      + 31 + true +       + +
      13.107.18.10
      + 31 + true +       + +
      13.107.128.0
      + 22 + true +       + +
      23.103.160.0
      + 20 + true +       + +
      40.96.0.0
      + 13 + true +       + +
      40.104.0.0
      + 15 + true +       + +
      52.96.0.0
      + 14 + true +       + +
      131.253.33.215
      + 32 + true +       + +
      132.245.0.0
      + 16 + true +       + +
      150.171.32.0
      + 22 + true +       + +
      191.234.140.0
      + 22 + true +       + +
      204.79.197.215
      + 32 + true +       + +
      13.107.136.0
      + 22 + true +       + +
      40.108.128.0
      + 17 + true +       + +
      52.104.0.0
      + 14 + true +       + +
      104.146.128.0
      + 17 + true +       + +
      150.171.40.0
      + 22 + true +       + +
      13.107.60.1
      + 32 + true +       + +
      13.107.64.0
      + 18 + true +       + +
      52.112.0.0
      + 14 + true +       + +
      52.120.0.0
      + 14 + true +       + + http://webproxy.corp.contoso.com/proxy.pac + +      ' + +<#-- Convert ProfileXML to Escaped Format --#> +$ProfileXML = $ProfileXML -replace '<', '<' +$ProfileXML = $ProfileXML -replace '>', '>' +$ProfileXML = $ProfileXML -replace '"', '"' + +<#-- Define WMI-to-CSP Bridge Properties --#> +$nodeCSPURI = './Vendor/MSFT/VPNv2' +$namespaceName = "root\cimv2\mdm\dmmap" +$className = "MDM_VPNv2_01" + +<#-- Define WMI Session --#> +$session = New-CimSession + +<#-- Detect and Delete Previous VPN Profile --#> +try +{ + $deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options) + foreach ($deleteInstance in $deleteInstances) + { + $InstanceId = $deleteInstance.InstanceID + if ("$InstanceId" -eq "$ProfileNameEscaped") + { + $session.DeleteInstance($namespaceName, $deleteInstance, $options) + $Message = "Removed $ProfileName profile $InstanceId" + Write-Host "$Message" + } else { + $Message = "Ignoring existing VPN profile $InstanceId" + Write-Host "$Message" + } + } +} +catch [Exception] +{ + $Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +<#-- Create VPN Profile --#> +try +{ + $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property') + $newInstance.CimInstanceProperties.Add($property) + + $session.CreateInstance($namespaceName, $newInstance, $options) + $Message = "Created $ProfileName profile." + Write-Host "$Message" + Write-Host "$ProfileName profile summary:" + $session.EnumerateInstances($namespaceName, $className, $options) +} +catch [Exception] +{ + $Message = "Unable to create $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +$Message = "Script Complete" +Write-Host "$Message" + +``` + +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. + +>[!NOTE] +>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. + +```xml +truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
      13.107.6.152
      31true
      13.107.18.10
      31true
      13.107.128.0
      22true
      23.103.160.0
      20true
      40.96.0.0
      13true
      40.104.0.0
      15true
      52.96.0.0
      14true
      131.253.33.215
      32true
      132.245.0.0
      16true
      150.171.32.0
      22true
      191.234.140.0
      22true
      204.79.197.215
      32true
      13.107.136.0
      22true
      40.108.128.0
      17true
      52.104.0.0
      14true
      104.146.128.0
      17true
      150.171.40.0
      22true
      13.107.60.1
      32true
      13.107.64.0
      18true
      52.112.0.0
      14true
      52.120.0.0
      14true      http://webproxy.corp.contoso.com/proxy.pac       +``` diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 18e7b41ec9..0ac0b47d38 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -16,8 +16,8 @@ ms.author: dansimp # VPN security features **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile ## LockDown VPN @@ -29,53 +29,52 @@ A VPN profile configured with LockDown secures the device to only allow network - The user cannot delete or modify the VPN profile. - The VPN LockDown profile uses forced tunnel connection. - If the VPN connection is not available, outbound network traffic is blocked. -- Only one VPN LockDown profile is allowed on a device. +- Only one VPN LockDown profile is allowed on a device. ->[!NOTE] ->For built-in VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type. - -Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. +> [!NOTE] +> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type. +Deploy this feature with caution, as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. ## Windows Information Protection (WIP) integration with VPN -Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally. +Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally. -The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include: +The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include: - Core functionality: File encryption and file access blocking - UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations - WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN - Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN -The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app. +The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app. Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip) -## Traffic filters +## Traffic Filters -Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins to effectively add interface specific firewall rules on the VPN Interface.There are two types of Traffic Filter rules: +Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins can use Traffic Filters to effectively add interface specific firewall rules on the VPN Interface. There are two types of Traffic Filter rules: -- App-based rules. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface. -- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface. +- App-based rules. With app-based rules, a list of applications can be marked to allow only traffic originating from these apps to go over the VPN interface. +- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified to allow only traffic matching these rules to go over the VPN interface. -There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level. +There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level. -For example, an admin could define rules that specify: +For example, an admin could define rules that specify: -- The Contoso HR App must be allowed to go through the VPN and only access port 4545. -- The Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889. -- All other apps on the device should be able to access only ports 80 or 443. +- The Contoso HR App must be allowed to go through the VPN and only access port 4545. +- The Contoso finance apps are allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889. +- All other apps on the device should be able to access only ports 80 or 443. ## Configure traffic filters -See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. +See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) for XML configuration. -The following image shows the interface to configure traffic rules in a VPN Profile configuration policy using Microsoft Intune. +The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune. ![Add a traffic rule](images/vpn-traffic-rules.png) diff --git a/windows/security/index.yml b/windows/security/index.yml index ca0486b130..d7b6fbe5a3 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,80 +1,38 @@ -### YamlMime:YamlDocument +### YamlMime:Hub -documentType: LandingData - -title: Windows 10 Enterprise Security +title: Windows 10 Enterprise Security # < 60 chars +summary: Secure corporate data and manage risk. # < 160 chars +# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin +brand: windows metadata: - - document_id: - - title: Windows 10 Enterprise Security - - description: Learn about enterprise-grade security features for Windows 10. - - keywords: protect, company, data, Windows, device, app, management, Microsoft365, e5, e3 - + title: Windows 10 Enterprise Security # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about enterprise-grade security features for Windows 10. # Required; article description that is displayed in search results. < 160 chars. + services: windows + ms.product: windows + ms.topic: hub-page # Required + ms.collection: M365-security-compliance # Optional; Remove if no collection is used. + author: danihalfin #Required; your GitHub user alias, with correct capitalization. + ms.author: daniha #Required; microsoft alias of author; optional team alias. + ms.date: 01/08/2018 #Required; mm/dd/yyyy format. ms.localizationpriority: high - author: brianlic-msft - - ms.author: brianlic - - manager: brianlic - - ms.date: 08/01/2018 - - ms.topic: article - - ms.devlang: na - -sections: - -- items: - - - type: markdown - - text: Secure corporate data and manage risk. - -- items: - - - type: list - - style: cards - - className: cardsM - - columns: 3 - - items: - - - href: \windows\security\identity-protection\ - - html:

      Deploy secure enterprise-grade authentication and access control to protect accounts and data

      - - image: - - src: https://docs.microsoft.com/media/common/i_identity-protection.svg - - title: Identity and access management - - - href: \windows\security\threat-protection\ - - html:

      Stop cyberthreats and quickly identify and respond to breaches

      - - image: - - src: https://docs.microsoft.com/media/common/i_threat-protection.svg - - title: Threat protection - - - href: \windows\security\information-protection\ - - html:

      Identify and secure critical data to prevent data loss

      - - image: - - src: https://docs.microsoft.com/media/common/i_information-protection.svg - - title: Information protection - +# productDirectory section (optional) +productDirectory: + items: + # Card + - title: Identity and access management + # imageSrc should be square in ratio with no whitespace + imageSrc: https://docs.microsoft.com/media/common/i_identity-protection.svg + summary: Deploy secure enterprise-grade authentication and access control to protect accounts and data + url: ./identity-protection/index.md + # Card + - title: Threat protection + imageSrc: https://docs.microsoft.com/media/common/i_threat-protection.svg + summary: Stop cyberthreats and quickly identify and respond to breaches + url: ./threat-protection/index.md + # Card + - title: Information protection + imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg + summary: Identify and secure critical data to prevent data loss + url: ./information-protection/index.md \ No newline at end of file diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index c3c19ee400..6d79db4dc3 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -38,7 +38,7 @@ ## [Encrypted Hard Drive](encrypted-hard-drive.md) -## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md) +## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) @@ -47,8 +47,8 @@ ##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) -### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) -#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) +### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-configmgr.md) +#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-configmgr.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) ### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 406d096165..96fc9bd8c2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -457,7 +457,7 @@ Checking BitLocker status with the control panel is the most common method used | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| -If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on volume E. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. +If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 09d6973301..436ef15fe7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -1882,7 +1882,7 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. ->**Warning:** Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. +>**Warning:** Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. ### Provide the unique identifiers for your organization diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 56c13ecbbe..a7a7e7fce7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -80,7 +80,9 @@ The server side configuration to enable Network Unlock also requires provisionin 1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration. 2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. -3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. +3. The client computer broadcasts a vendor-specific DHCP request that contains: + 1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. + 2. An AES-256 session key for the reply. 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. 5. The provider decrypts it with the WDS server’s BitLocker Network Unlock certificate RSA private key. 6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key. diff --git a/windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg similarity index 100% rename from windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg rename to windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 2f83a67ca2..18236c1ddf 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -111,7 +111,7 @@ list volume If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). -![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/sccm-imageconfig.jpg) +![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg) #### Step 2: Verify the status of WinRE @@ -171,7 +171,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes You receive an error message that resembles the following: -> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable ‘SecureBoot’ could not be read. A required privilege is not held by the client. +> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client. ### Cause diff --git a/windows/security/information-protection/images/device_details_tab_1903.png b/windows/security/information-protection/images/device_details_tab_1903.png new file mode 100644 index 0000000000..beb0337379 Binary files /dev/null and b/windows/security/information-protection/images/device_details_tab_1903.png differ diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 5474e7faf1..b36af3f717 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -1,5 +1,5 @@ --- -title: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) +title: Kernel DMA Protection (Windows 10) description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. ms.prod: w10 ms.mktglfcycl: deploy @@ -15,17 +15,18 @@ ms.date: 03/26/2019 ms.reviewer: --- -# Kernel DMA Protection for Thunderbolt™ 3 +# Kernel DMA Protection **Applies to** - Windows 10 -In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. +In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g., Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g., M.2 slots) + Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on. -For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). +For Thunderbolt DMA protection on earlier Windows versions and platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). ## Background @@ -33,9 +34,10 @@ PCI devices are DMA-capable, which allows them to read and write to system memor The DMA capability is what makes PCI devices the highest performing devices available today. These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. Access to these devices required the user to turn off power to the system and disassemble the chassis. -Today, this is no longer the case with Thunderbolt™. -Thunderbolt™ technology has provided modern PCs with extensibility that was not available before for PCs. +Today, this is no longer the case with hot plug PCIe ports (e.g., Thunderbolt™ and CFexpress). + +Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that was not available before for PCs. It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks. @@ -45,15 +47,15 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and ## How Windows protects against DMA drive-by attacks Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). -Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. -By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. +Peripherals with [DMA Remapping compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. + +By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the [DmaGuard MDM policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies). ## User experience ![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) -A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. -Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. +By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or logs out of the system. ## System compatibility @@ -103,18 +105,21 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping). Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external). +![Kernel DMA protection user experience](images/device_details_tab_1903.png) + *For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. ![Kernel DMA protection user experience](images/device-details-tab.png) -### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping? -If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found at the [Microsoft Partner Center](https://partner.microsoft.com/dashboard/collaborate/packages/4142). +### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? + +If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers). ### Do Microsoft drivers support DMA-remapping? -In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping. +In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA Remapping. ### Do drivers for non-PCI devices need to be compatible with DMA-remapping? -No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping. +No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA Remapping. ### How can an enterprise enable the External device enumeration policy? The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 4ab3d8f320..da6eece1fe 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -123,7 +123,7 @@ The following table defines which Windows features require TPM support. TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes Virtual Smart Card | Yes | Yes | Yes Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. - Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required for white glove and self-deploying scenarios. + Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required. SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index d2a77a72e2..2bcfcf6622 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -23,12 +23,12 @@ ms.reviewer: - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. +If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >[!IMPORTANT] ->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

      If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

      If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. ## Manually create an EFS DRA certificate @@ -47,16 +47,16 @@ The recovery process included in this topic only works for desktop devices. WIP >[!Important] >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md). +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md). > [!NOTE] > This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM). ## Verify your data recovery certificate is correctly set up on a WIP client computer -1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. +1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it's encrypted by WIP. -2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. +2. Open an app on your protected app list, and then create and save a file so that it's encrypted by WIP. 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: @@ -89,7 +89,7 @@ It's possible that you might revoke data from an unenrolled device only to later Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW - Where "*new_location*" is in a different directory. This can be on the employee’s device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent. + Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent. To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**. @@ -109,12 +109,12 @@ It's possible that you might revoke data from an unenrolled device only to later 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + The Windows Credential service automatically recovers the employee's previously revoked keys from the `Recovery\Input` location. ## Auto-recovery of encryption keys Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment. -To help make sure employees can always access files, WIP creates an auto-recovery key that’s backed up to their Azure Active Directory (Azure AD) identity. +To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity. The employee experience is based on sign in with an Azure AD work account. The employee can either: @@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) -- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) +- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md similarity index 78% rename from windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md rename to windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 9d1178639c..a5baa19809 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -25,10 +25,10 @@ ms.date: 01/09/2020 - Windows 10 Mobile, version 1607 and later - Microsoft Endpoint Configuration Manager -Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy -After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. +After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. >[!TIP] > Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues. @@ -37,16 +37,16 @@ After you’ve installed and set up Configuration Manager for your organization, 1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) + ![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png) 2. Click the **Create Configuration Item** button.

      The **Create Configuration Item Wizard** starts. - ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-sccm-generalscreen.png) + ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png) 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -56,25 +56,25 @@ The **Create Configuration Item Wizard** starts. 5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. - ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png) + ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png) 6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**. - ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png) + ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png) The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. ## Add app rules to your policy -During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >[!IMPORTANT] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

      Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

      Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ### Add a store app rule to your policy -For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. +For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list. **To add a store app** @@ -82,13 +82,13 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** The **Add app rule** box appears. - ![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png) + ![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick **Store App** from the **Rule template** drop-down list. @@ -122,7 +122,7 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. > [!IMPORTANT] - > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

      For example:

      + > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.

      For example:

      > ```json > { > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -150,7 +150,7 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. > [!IMPORTANT] - > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`. > For example:

      > ```json > { @@ -159,20 +159,20 @@ If you don't know the publisher or product name, you can find them for both desk > ``` ### Add a desktop app rule to your policy -For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. +For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list. **To add a desktop app to your policy** 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. - ![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png) + ![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick **Desktop App** from the **Rule template** drop-down list. @@ -186,7 +186,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the

      		Manages
      All fields left as “*”All fields left as "*" All files signed by any publisher. (Not recommended.)
      -If you’re unsure about what to include for the publisher, you can run this PowerShell command: +If you're unsure about what to include for the publisher, you can run this PowerShell command: ```ps1 Get-AppLockerFileInformation -Path "" @@ -232,7 +232,7 @@ Path Publisher Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. ### Add an AppLocker policy file -For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. +For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). @@ -257,7 +257,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos. ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) @@ -277,7 +277,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + The policy is saved and you'll see a message that says 1 rule was exported from the policy. **Example XML file**
      This is the XML file that AppLocker creates for Microsoft Photos. @@ -299,7 +299,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` -12. After you’ve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager. +12. After you've created your XML file, you need to import it by using Configuration Manager. **To import your Applocker policy file app rule using Configuration Manager** @@ -307,13 +307,13 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* The **Add app rule** box appears. - ![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png) + ![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick the **AppLocker policy file** from the **Rule template** drop-down list. @@ -332,13 +332,13 @@ If you're running into compatibility issues where your app is incompatible with The **Add app rule** box appears. -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. -4. Fill out the rest of the app rule info, based on the type of rule you’re adding: +4. Fill out the rest of the app rule info, based on the type of rule you're adding: - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. @@ -360,13 +360,13 @@ We recommend that you start with **Silent** or **Override** while verifying with |-----|------------| |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | -|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

      After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

      After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.| -![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png) +![Create Configuration Item wizard, choose your WIP-protection level](images/wip-configmgr-appmgmt.png) ## Define your enterprise-managed identity domains -Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. +Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. @@ -374,16 +374,16 @@ You can specify multiple domains owned by your enterprise by separating them wit - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png) + ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png) ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. -There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). +There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). >[!IMPORTANT] >Every WIP policy should include policy that defines your enterprise network locations.
      ->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. +>Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations. **To define where your protected apps can find and send enterprise data on you network** @@ -393,7 +393,7 @@ There are no default locations included with WIP, you must add each of your netw 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png) + ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png) @@ -404,7 +404,7 @@ There are no default locations included with WIP, you must add each of your netw - + @@ -414,12 +414,12 @@ There are no default locations included with WIP, you must add each of your netw - + -
      +
      @@ -442,7 +442,7 @@ There are no default locations included with WIP, you must add each of your netw 4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer. - ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png) + ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-configmgr-optsettings.png) - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option. @@ -452,16 +452,16 @@ There are no default locations included with WIP, you must add each of your netw 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png) + ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png) - After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ## Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. +After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings. -![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png) +![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png) **To set your optional settings** 1. Choose to set any or all of the optional settings: @@ -478,13 +478,13 @@ After you've decided where your protected apps can access enterprise data on you - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions. - - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don’t specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. + - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. 2. After you pick all of the settings you want to include, click **Summary**. @@ -494,12 +494,12 @@ After you've finished configuring your policy, you can review all of your info o **To view the Summary screen** - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. - ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png) + ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png) A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. ## Deploy the WIP policy -After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: +After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224) - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225) diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 8879dec483..8c01645295 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -53,7 +53,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar -- Office 365 ProPlus apps, including Word, Excel, PowerPoint, OneNote, and Outlook +- Microsoft 365 Apps for enterprise apps, including Word, Excel, PowerPoint, OneNote, and Outlook - OneDrive app @@ -71,16 +71,18 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Messaging -- Microsoft Remote Desktop +- Microsoft Remote Desktop > [!NOTE] -> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. +> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. ## List of WIP-work only apps from Microsoft Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. - Skype for Business +- Microsoft Teams (build 1.3.00.12058 and later) + ## Adding enlightened Microsoft apps to the allowed apps list > [!NOTE] @@ -99,7 +101,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li | PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Office.PowerPoint
      **App Type:** Universal app | | OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Office.OneNote
      **App Type:** Universal app | | Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** microsoft.windowscommunicationsapps
      **App Type:** Universal app | -| Office 365 ProPlus and Office 2019 Professional Plus | Office 365 ProPlus and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
      We don't recommend setting up Office by using individual paths or publisher rules. | +| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
      We don't recommend setting up Office by using individual paths or publisher rules. | | Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Windows.Photos
      **App Type:** Universal app | | Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.ZuneMusic
      **App Type:** Universal app | | Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.ZuneVideo
      **App Type:** Universal app | diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md deleted file mode 100644 index 47d4db6ed7..0000000000 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10) -description: Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. -keywords: sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dulcemontemayor -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/30/2019 -ms.reviewer: ---- - -# How Windows Information Protection (WIP) protects a file that has a sensitivity label - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows 10, version 1903 -- Windows 10, version 1809 - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. -Microsoft information protection technologies work together as an integrated solution to help enterprises: - -- Discover corporate data on endpoint devices -- Classify and label information based on its content and context -- Protect corporate data from unintentionally leaving to non-business environments -- Enable audit reports of user interactions with corporate data on endpoint devices - -Microsoft information protection technologies include: - -- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. - -- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services. - -- [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization. - -## How WIP protects sensitivity labels with endpoint data loss prevention - -You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center. -When you [create a sensitivity label](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels), you can specify that endpoint data loss prevention applies to content with that label. - -![Endpoint data loss prevention](images/sensitivity-label-endpoint-dlp.png) - -Office app users can choose a sensitivity label from a menu and apply it to a file. - -![Sensitivity labels](images/sensitivity-labels.png) - -WIP enforces default endpoint protection as follows: - -- If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label -- If endpoint data loss prevention is not enabled: - - The device enforces work protection to a file downloaded from a work site - - The device does not enforce work protection to a file downloaded from a personal site - -Here's an example where a file remains protected without any work context beyond the sensitivity label: - -1. Sara creates a PDF file on a Mac and labels it as **Confidential**. -1. She emails the PDF from her Gmail account to Laura. -1. Laura opens the PDF file on her Windows 10 device. -1. Windows Defender Advanced Threat Protection (Windows Defender ATP) scans Windows 10 for any file that gets modified or created, including files that were created on a personal site. -1. Windows Defender ATP triggers WIP policy. -1. WIP policy protects the file even though it came from a personal site. - -## How WIP protects automatically classified files - -The next sections cover how Windows Defender ATP extends discovery and protection of sensitive information with improvements in Windows 10 version 1903. - -### Discovery - -Windows Defender ATP can extract the content of the file itself and evaluate whether it contains sensitive information types such as credit card numbers or employee ID numbers. -When you create a sensitivity label, you can specify that the label be added to any file that contains a sensitive information type. - -![Sensitivity labels](images/sensitivity-label-auto-label.png) - -A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver’s license numbers, and so on. -You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. - -### Protection - -When a file is created or edited on a Windows 10 endpoint, Windows Defender ATP extracts the content and evaluates if it contains any default or custom sensitive information types that have been defined. -If the file has a match, Windows Defender ATP applies endpoint data loss prevention even if the file had no label previously. - -Windows Defender ATP is integrated with Azure Information Protection for data discovery and reports sensitive information types that were discovered. -Azure Information Protection aggregates the files with sensitivity labels and the sensitive information types they contain across the enterprise. - -![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) - -You can see sensitive information types in Microsoft 365 compliance under **Classifications**. Default sensitive information types have Microsoft as the publisher. The publisher for custom types is the tenant name. - -![Sensitive information types](images/sensitive-info-types.png) - ->[!NOTE] ->Automatic classification does not change the file itself, but it applies protection based on the label. ->WIP protects a file that contains a sensitive information type as a work file. ->Azure Information Protection works differently in that it extends a file with a new attribute so the protection persists if the file is copied. - -## Prerequisites - -- Endpoint data loss prevention requires Windows 10, version 1809 -- Auto labelling requires Windows 10, version 1903 -- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy -- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center -- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md) - - - - - - - - - diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png index f453431070..34c89b37a9 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 8b5a188647..7e12444b58 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -53,7 +53,7 @@ This table provides info about the most common problems you might encounter whil - + @@ -121,24 +121,37 @@ This table provides info about the most common problems you might encounter whil - + - + + + + + + + + + + +
      Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
      contoso.visualstudio.com,contoso.internalproxy2.com

      Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

      		Specify the cloud resources to be treated as corporate and protected by WIP.

      For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

      If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

      Important
      In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

      		Specify the cloud resources to be treated as corporate and protected by WIP.

      For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

      If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

      Important
      In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
      Enterprise Network Domain Names (Required)
      Proxy servers proxy.contoso.com:80;proxy2.contoso.com:443Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

      This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

      If you have multiple resources, you must separate them using the ";" delimiter.      		Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

      This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

      If you have multiple resources, you must separate them using the ";" delimiter.
      Internal proxy servers contoso.internalproxy1.com;contoso.internalproxy2.comSpecify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

      This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

      If you have multiple resources, you must separate them using the ";" delimiter.
      Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

      This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

      If you have multiple resources, you must separate them using the ";" delimiter.
      Enterprise IPv4 Range (Required) Starting IPv4 Address: 3.4.0.1
      Ending IPv4 Address: 3.4.255.254
      Custom URI: 3.4.0.1-3.4.255.254,
      10.0.0.1-10.255.255.254
      WIP is designed for use by a single user per device.A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process. We recommend only having one user per managed device.
      Only enlightened apps can be managed without device enrollment If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintenionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment. If all apps need to be managed, enroll the device for MDM.
      By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it.
      		By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it.
      		 Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
      By design, OneNote only supports WIP protected notebooks stored on enterprise-managed SharePoint (OneDrive for Business). Onenote does not support local WIP protected notebooks.OneNote might encounter an error such as "This notebook contains protected content from your organization, which can't be viewed or synced. Please change the file ownership to Personal, or contact your IT administrator." Supported notebooks (OneDrive for Business) should be shown in File Explorer as links and open with your associated browser. Unsupported notebooks would show as folders or .one files (with a OneNote icon)If unsupported files won't open in the browser, then they are 'stuck' in the old local format - incompatible with WIP or viewing online. We recommend that you create a new notebook and copy the contents from the existing notebook into the new one. In OneNote desktop, File > New > OnedDive - company name notebook and create a new one. Then within OneNote, copy over the old 'local' sections into this new notebook to ensure they get upgraded to the modern format. Hold Ctrl + drag and drop the sections into the notebook. Holding Ctrl will copy sections rather than move them, preserving the old sections as backup copies. Wait for the new notebook to finish syncing to OneDrive for business.
      Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. + If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected. + It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually. +
      > [!NOTE] > When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. -> [!NOTE] -> Chromium-based versions of Microsoft Edge (versions since 79) don't fully support WIP yet. The functionality could be partially enabled by going to the local page **edge://flags/#edge-dataprotection** and setting the **Windows Information Protection** flag to **enabled**. + + > [!NOTE] > Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md similarity index 88% rename from windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md rename to windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md index fc7e101613..a1e662c65e 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md @@ -28,6 +28,6 @@ Microsoft Endpoint Configuration Manager helps you create and deploy your enterp ## In this section |Topic |Description | |------|------------| -|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 0ef906a2b3..961744bbf6 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc Create work documents in enterprise-allowed apps. For desktop:

      For mobile:

        @@ -113,7 +113,7 @@ You can try any of the processes included in these scenarios, but you should foc
        1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
          Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
        2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
          3. -
        3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

          Note
          Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

          A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
          4. +
        4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

          Note
          Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.

          A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
        diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 79657f9ac7..b7bd91eda3 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -6,6 +6,7 @@ ### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) ### [Preview features](microsoft-defender-atp/preview.md) ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) +### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md) ### [Portal overview](microsoft-defender-atp/portal-overview.md) ### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) @@ -13,21 +14,17 @@ ## [Plan deployment](microsoft-defender-atp/deployment-strategy.md) - ## [Deployment guide]() ### [Deployment phases](microsoft-defender-atp/deployment-phases.md) ### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md) ### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md) ### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md) - - - ## [Security administration]() ### [Threat & Vulnerability Management]() #### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) #### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) -#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) +#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md) #### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) #### [Configuration score](microsoft-defender-atp/configuration-score.md) #### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) @@ -42,7 +39,6 @@ #### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md) #### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md) - #### [Attack surface reduction controls]() ##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) ##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) @@ -50,12 +46,12 @@ #### [Hardware-based isolation]() ##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md) -##### [Hardware-based isolation evaluation](windows-defender-application-guard/test-scenarios-wd-app-guard.md) +##### [Hardware-based isolation evaluation](microsoft-defender-application-guard/test-scenarios-md-app-guard.md) ##### [Application isolation]() -###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md) -###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) -###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) +###### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md) +###### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md) +###### [Install Windows Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md) @@ -66,12 +62,9 @@ #### [Device control]() +##### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) ##### [Control USB devices](device-control/control-usb-devices-using-intune.md) -##### [Device Guard]() -###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - - #### [Exploit protection]() ##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md) @@ -81,7 +74,7 @@ #### [Network protection]() ##### [Protect your network](microsoft-defender-atp/network-protection.md) ##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md) - +##### [Enable network protection](microsoft-defender-atp/enable-network-protection.md) #### [Web protection]() ##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md) @@ -103,129 +96,136 @@ ### [Next-generation protection]() -#### [Next-generation protection overview](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -#### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) +#### [Next-generation protection overview](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) +#### [Evaluate next-generation protection](microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md) #### [Configure next-generation protection]() -##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md) +##### [Configure Microsoft Defender Antivirus features](microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) -##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) -###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md) -###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) -###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md) -###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) -###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) +##### [Utilize Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +###### [Enable cloud-delivered protection](microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) +###### [Specify the cloud-delivered protection level](microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md) +###### [Configure and validate network connections](microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md) +###### [Prevent security settings changes with tamper protection](microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md) +###### [Enable Block at first sight](microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md) +###### [Configure the cloud block timeout period](microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) ##### [Configure behavioral, heuristic, and real-time protection]() -###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) -###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) +###### [Configuration overview](microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md) +###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) +###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) -##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) +##### [Antivirus on Windows Server 2016](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md) ##### [Antivirus compatibility]() -###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md) -###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md) +###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) +###### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md) ##### [Deploy, manage updates, and report on antivirus]() -###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md) -###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md) -####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md) +###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md) +###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md) +####### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md) ###### [Report on antivirus protection]() -####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) -####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md) +####### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) +####### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md) ###### [Manage updates and apply baselines]() -####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) -####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) -####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) -####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) -####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) -####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +####### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) +####### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) +####### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) +####### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) +####### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md) +####### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) ##### [Customize, initiate, and review the results of scans and remediation]() -###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) -###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) +###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) +###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) +###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) +###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) +###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md) -##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) ##### [Manage antivirus in your business]() -###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) +###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) +###### [Use Group Policy settings to configure and manage antivirus](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) +###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +###### [Use PowerShell cmdlets to configure and manage antivirus](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) +###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) ##### [Manage scans and remediation]() -###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +####### [Configure antivirus exclusions on Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) +###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) -##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) -###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +##### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) +###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) +###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) +###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md) +###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) ##### [Manage next-generation protection in your business]() -###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md) -###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) +###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md) +###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) +###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +###### [Use Group Policy settings to manage next generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) +###### [Use PowerShell cmdlets to manage next generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) +###### [Use the mpcmdrun.exe command line tool to manage next generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) -#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) -#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md) +#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md) +#### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md) -### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) -#### [What's New](microsoft-defender-atp/mac-whatsnew.md) -##### [Deploy]() -###### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md) -###### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md) -###### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md) -###### [Manual deployment](microsoft-defender-atp/mac-install-manually.md) -##### [Update](microsoft-defender-atp/mac-updates.md) -##### [Configure]() -###### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) -###### [Set preferences](microsoft-defender-atp/mac-preferences.md) -###### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) -##### [Troubleshoot]() -###### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md) -###### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md) -###### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md) -###### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md) -##### [Privacy](microsoft-defender-atp/mac-privacy.md) -##### [Resources](microsoft-defender-atp/mac-resources.md) +### [Microsoft Defender Advanced Threat Protection for Mac]() +#### [Overview of Microsoft Defender ATP for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) +#### [What's New](microsoft-defender-atp/mac-whatsnew.md) + +#### [Deploy]() +##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md) +##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md) +##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md) +##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md) +#### [Update](microsoft-defender-atp/mac-updates.md) + +#### [Configure]() +##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) +##### [Set preferences](microsoft-defender-atp/mac-preferences.md) +##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) + +#### [Troubleshoot]() +##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md) +##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md) +##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md) +##### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md) + +#### [Privacy](microsoft-defender-atp/mac-privacy.md) +#### [Resources](microsoft-defender-atp/mac-resources.md) -### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) +### [Microsoft Defender Advanced Threat Protection for Linux]() +#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) +#### [What's New](microsoft-defender-atp/linux-whatsnew.md) #### [Deploy]() ##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md) ##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md) @@ -233,22 +233,26 @@ #### [Update](microsoft-defender-atp/linux-updates.md) + #### [Configure]() ##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md) ##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) ##### [Set preferences](microsoft-defender-atp/linux-preferences.md) -#### [Troubleshoot]() -##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) -##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) +##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md) +#### [Troubleshoot]() +##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) +##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) +##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) + + +#### [Privacy](microsoft-defender-atp/linux-privacy.md) #### [Resources](microsoft-defender-atp/linux-resources.md) ### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) ## [Security operations]() - - ### [Endpoint detection and response]() #### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md) #### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md) @@ -256,6 +260,7 @@ ##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md) ##### [Manage incidents](microsoft-defender-atp/manage-incidents.md) ##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md) + #### [Alerts queue]() ##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md) @@ -279,7 +284,7 @@ ###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation) ###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session) ###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) -###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) +###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines) ###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution) ###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network) ###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert) @@ -307,10 +312,6 @@ - - -##### [Shadow protection?](windows-defender-antivirus/shadow-protection.md) - #### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md) #### [Reporting]() @@ -324,13 +325,15 @@ ##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) ##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) +### [Behavioral blocking and containment]() +#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md) +#### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md) +#### [Feedback-loop blocking](microsoft-defender-atp/feedback-loop-blocking.md) +#### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) - - - - -### [Automated investigation and response]() +### [Automated investigation and response (AIR)]() #### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) +#### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md) ### [Advanced hunting]() #### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md) @@ -346,14 +349,14 @@ ##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md) ##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md) ##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md) -##### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md) +##### [DeviceFileCertificateInfo](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md) ##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md) ##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md) ##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md) -##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md) -##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md) -##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md) -##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md) +##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md) +##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md) +##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md) +##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md) #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) ### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md) @@ -403,7 +406,7 @@ ### [Configure portal settings]() #### [Set up preferences](microsoft-defender-atp/preferences-setup.md) #### [General]() -##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md) +##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md) ##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) ##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md) ##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md) @@ -414,10 +417,8 @@ ##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) ###### [Create and manage roles](microsoft-defender-atp/user-roles.md) ###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) -####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) +###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) -#### [APIs]() -##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) #### [Rules]() ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) @@ -434,13 +435,12 @@ ### [Configure integration with other Microsoft solutions]() #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) -#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md) + ## Reference ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) - #### [Microsoft Defender ATP API]() ##### [Get started]() ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) @@ -573,8 +573,7 @@ ##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md) ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) -##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) -##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) +##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) @@ -633,7 +632,7 @@ ##### [Network protection](microsoft-defender-atp/troubleshoot-np.md) ##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md) -#### [Troubleshoot next-generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) +#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md) @@ -660,7 +659,6 @@ ### [How Microsoft identifies malware and PUA](intelligence/criteria.md) ### [Submit files for analysis](intelligence/submission-guide.md) ### [Safety Scanner download](intelligence/safety-scanner-download.md) -### [Industry antivirus tests](intelligence/top-scoring-industry-antivirus-tests.md) ### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md) #### [Virus information alliance](intelligence/virus-information-alliance-criteria.md) #### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md) @@ -690,9 +688,10 @@ #### [Family options](windows-defender-security-center/wdsc-family-options.md) -### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) -#### [Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md) -#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md) +### [Microsoft Defender SmartScreen](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) +#### [Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md) +#### [Set up and use Microsoft Defender SmartScreen on individual devices](microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md) + ### [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md) #### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md) diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index e13d22c6e3..f6d870f605 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -2,7 +2,7 @@ title: Audit Other Privilege Use Events (Windows 10) description: This security policy setting is not used. ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security @@ -17,8 +17,8 @@ ms.date: 04/19/2017 # Audit Other Privilege Use Events **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows Server 2016 This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. @@ -31,7 +31,7 @@ This auditing subcategory should not have any events in it, but for some reason **Events List:** -- [4985](event-4674.md)(S): The state of a transaction has changed. +- [4985](event-4985.md)(S): The state of a transaction has changed. diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index c1d44d55e0..4a9b1e8b3a 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -1,6 +1,6 @@ --- title: 1102(S) The audit log was cleared. (Windows 10) -description: Describes security event 1102(S) The audit log was cleared. +description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S). ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index 5854f68b90..fbcbb7dad9 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -1,6 +1,6 @@ --- title: 1104(S) The security log is now full. (Windows 10) -description: Describes security event 1104(S) The security log is now full. +description: This event generates every time Windows security log becomes full and the event log retention method is set to "Do not overwrite events." ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index cd3b89cac3..e00e49b666 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -1,6 +1,6 @@ --- title: 1105(S) Event log automatic backup. (Windows 10) -description: Describes security event 1105(S) Event log automatic backup. +description: This event generates every time Windows security log becomes full and new event log file was created. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index d9b5265f75..a7f80d6745 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -230,7 +230,7 @@ This event generates when a logon session is created (on destination machine). I **Network Information:** -- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed. +- **Workstation Name** \[Type = UnicodeString\]**:** machine name to which logon attempt was performed. - **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed. diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 18d2e3d8c2..30ed1af8fc 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: --- # Monitor the use of removable storage devices @@ -28,7 +28,10 @@ If you configure this policy setting, an audit event is generated each time a us Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored. ->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. +Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +> [!NOTE] +> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. **To configure settings to monitor removable storage devices** @@ -46,7 +49,8 @@ After you configure the settings to monitor removable storage devices, use the f 1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window. - >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + > [!NOTE] + > If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 2. Type **gpupdate /force**, and press ENTER. 3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy. @@ -56,7 +60,8 @@ After you configure the settings to monitor removable storage devices, use the f Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted. - >**Note:**  We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. + > [!NOTE] + > We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. ### Related resource diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 74a43afb5e..d6788c3add 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -26,7 +26,7 @@ Microsoft recommends [a layered approach to securing removable media](https://ak 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. 2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: - - Windows Defender Antivirus real-time protection (RTP) to scan removable storage for malware. + - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware. - The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB. - Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in. 3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). @@ -111,7 +111,7 @@ For example: If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies: 1. Enable **Prevent installation of devices that match any of these device IDs**. -2. Enable **Prevent installation of devices that match these device setup classes**. +2. Enable **Prevent installation of devices using drivers that match these device setup classes**. > [!Note] > The prevent device installation policies take precedence over the allow device installation policies. @@ -145,6 +145,14 @@ Get-WMIObject -Class Win32_DiskDrive | Select-Object -Property * ``` +The **Prevent installation of devices using drivers that match these device setup classes** policy allows you to specify device setup classes that Windows is prevented from installing. + +To prevent installation of particular classes of devices: + +1. Find the GUID of the device setup class from [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). +2. Enable **Prevent installation of devices using drivers that match these device setup classes** and add the class GUID to the list. +![Add device setup class to prevent list](images/Add-device-setup-class-to-prevent-list.png) + ### Block installation and usage of removable storage 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). @@ -226,22 +234,22 @@ For more information about controlling USB devices, see the [Microsoft Defender | Control | Description | |----------|-------------| -| [Enable Windows Defender Antivirus Scanning](#enable-windows-defender-antivirus-scanning) | Enable Windows Defender Antivirus scanning for real-time protection or scheduled scans.| +| [Enable Microsoft Defender Antivirus Scanning](#enable-microsoft-defender-antivirus-scanning) | Enable Microsoft Defender Antivirus scanning for real-time protection or scheduled scans.| | [Block untrusted and unsigned processes on USB peripherals](#block-untrusted-and-unsigned-processes-on-usb-peripherals) | Block USB files that are unsigned or untrusted. | | [Protect against Direct Memory Access (DMA) attacks](#protect-against-direct-memory-access-dma-attacks) | Configure settings to protect against DMA attacks. | >[!NOTE] >Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. -### Enable Windows Defender Antivirus Scanning +### Enable Microsoft Defender Antivirus Scanning -Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans. +Protecting authorized removable storage with Microsoft Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) or scheduling scans and configuring removable drives for scans. -- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices. +- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Microsoft Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices. - If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting. >[!NOTE] ->We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**. +>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Microsoft Defender Antivirus** > **Real-time monitoring**. @@ -255,7 +263,7 @@ This can be done by setting **Untrusted and unsigned processes that run from USB With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files. -These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). 2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. @@ -324,7 +332,7 @@ For example, using either approach, you can automatically have the Microsoft Def ## Related topics -- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Configure real-time protection for Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) - [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) - [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) - [Perform a custom scan of a removable device](https://aka.ms/scanusb) diff --git a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png new file mode 100644 index 0000000000..043da38016 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png differ diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index a3b27f24c3..35846937a0 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- -title: Enable virtualization-based protection of code integrity -description: This article explains the steps to opt in to using HVCI on Windows devices. +title: Enable virtualization-based protection of code integrity +description: This article explains the steps to opt in to using HVCI on Windows devices. ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium @@ -16,7 +16,7 @@ ms.reviewer: # Enable virtualization-based protection of code integrity -**Applies to** +**Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -25,13 +25,13 @@ Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. ->[!NOTE] ->Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. +> [!NOTE] +> Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. ## HVCI Features * HVCI protects modification of the Control Flow Guard (CFG) bitmap. -* HVCI also ensure your other Truslets, like Credential Guard, have a valid certificate. +* HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate. * Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. ## How to turn on HVCI in Windows 10 @@ -54,7 +54,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] ### Enable HVCI using Group Policy 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. -2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. +2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. 3. Double-click **Turn on Virtualization Based Security**. 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. @@ -290,9 +290,9 @@ WDAC protects against malware running in the guest virtual machine. It does not Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ``` -### Requirements for running HVCI in Hyper-V virtual machines +### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. +- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/images/lab-creation-page.png b/windows/security/threat-protection/images/lab-creation-page.png new file mode 100644 index 0000000000..75540493da Binary files /dev/null and b/windows/security/threat-protection/images/lab-creation-page.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 35ac0e33f0..7a0b4059d1 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -7,8 +7,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dansimp -author: DulceMontemayor +ms.author: macapara +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -19,6 +19,9 @@ ms.topic: conceptual # Threat Protection [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. +>[!TIP] +> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). +

        Microsoft Defender ATP

        @@ -41,6 +44,9 @@ ms.topic: conceptual + +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] + **[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
        This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. @@ -71,14 +77,14 @@ The attack surface reduction set of capabilities provide the first line of defen -**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
        +**[Next generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
        To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. -- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) -- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) -- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) -- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) +- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) +- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus) +- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus) +- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus) +- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md index 1bea408ef2..b07721ab05 100644 --- a/windows/security/threat-protection/intelligence/TOC.md +++ b/windows/security/threat-protection/intelligence/TOC.md @@ -36,8 +36,6 @@ ## [Safety Scanner download](safety-scanner-download.md) -## [Industry tests](top-scoring-industry-antivirus-tests.md) - ## [Industry collaboration programs](cybersecurity-industry-partners.md) ### [Virus information alliance](virus-information-alliance-criteria.md) diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 572d4cf705..74c19eb50f 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -159,11 +159,11 @@ Advertisements shown to you must: #### Consumer opinion -Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions. +Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Microsoft Defender Antivirus and other Microsoft antimalware solutions. ## Potentially unwanted application (PUA) -Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Windows Defender Antivirus, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md). *PUAs are not considered malware.* @@ -175,7 +175,7 @@ Microsoft uses specific categories and the category definitions to classify soft * **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies. -* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. +* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. * **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research. diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md index 3e680879b5..c6973ab9e1 100644 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ b/windows/security/threat-protection/intelligence/developer-faq.md @@ -43,8 +43,8 @@ It contains instructions to offer a program classified as unwanted software. You ## Why is the Windows Firewall blocking my program? -This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network. +This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network. ## Why does the Windows Defender SmartScreen say my program is not commonly downloaded? -This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website. +This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website. diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index 35aec2bd9c..b413cea906 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -40,4 +40,4 @@ Find more guidance about the file submission and detection dispute process in ou ### Scan your software -Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft. +Use [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 2a52b19798..001d356c59 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -1,7 +1,7 @@ --- title: Malware names ms.reviewer: -description: Understand the malware naming convention used by Windows Defender Antivirus and other Microsoft antimalware. +description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware. keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name ms.prod: w10 ms.mktglfcycl: secure diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index ffe4254e2b..ad80fad7fe 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -55,7 +55,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment. -[Windows Defender Offline](https://support.microsoft.com/help/17466/windows-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. +[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. [System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity. diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index f6b12d45e0..96e45bc39b 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -34,7 +34,7 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from - Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. -- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). +- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Microsoft Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). ## System requirements @@ -53,7 +53,7 @@ For more information about the Safety Scanner, see the support article on [how t ## Related resources - [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner) -- [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security) +- [Microsoft Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security) - [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) - [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware) - [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission) diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 35942059ca..8544b43d61 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -45,13 +45,13 @@ It is also important to keep the following in mind: * Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites. -* Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. +* Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. ## What to do if information has been given to a tech support person * Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the device -* Run a full scan with Windows Defender Antivirus to remove any malware. Apply all security updates as soon as they are available. +* Run a full scan with Microsoft Defender Antivirus to remove any malware. Apply all security updates as soon as they are available. * Change passwords. diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md deleted file mode 100644 index be304c5715..0000000000 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK) -ms.reviewer: -description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success -ms.prod: w10 -ms.mktglfcycl: secure -ms.sitesec: library -ms.localizationpriority: high -ms.author: ellevin -author: levinec -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -search.appverid: met150 ---- - -# Top scoring in industry tests - -Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis. - -## Next generation protection - -[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Keep in mind, these tests only provide results for antivirus and do not test for additional security protections. - -Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies. -

        -![String of images showing scores](./images/Transparency-report-November1.png) - -**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)** - -### AV-TEST: Protection score of 5.5/6.0 in the latest test - -The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). - -- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) **Latest** - - Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used. - -- November - December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/) - -- September - October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/) - -- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- March — April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- January — February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) - -- November — December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9) - -- September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD) - -### AV-Comparatives: Protection rating of 99.9% in the latest test - -Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance. - -- Business Security Test 2019 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/) **Latest** - - Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.6% in the latest test. - -- Business Security Test 2019 Factsheet (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Business Security Test 2018 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/) - -- Business Security Test 2018 (March — June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/) - -### SE Labs: AAA award in the latest test - -SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services. - -- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) **pdf** - - Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but two public threats. - -- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Enterprise Endpoint Protection January — March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Enterprise Endpoint Protection October — December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) - -## Endpoint detection & response - -Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. - -![String of images showing EDR capabilities](./images/MITRE-Microsoft-Defender-ATP.png) - -**Read our analysis: [MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)** - -### MITRE: Industry-leading optics and detection capabilities - -MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics. - -- ATT&CK-based evaluation: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831) - - Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring. - -## To what extent are tests representative of protection in the real world? - -Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. - -The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world. - -With independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. - -[Learn more about Microsoft Defender ATP](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) and evaluate it in your own network by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), or [enabling Preview features on existing tenants](../microsoft-defender-atp/preview-settings.md). diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index c9f64fecd6..2ed753b049 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -40,7 +40,7 @@ Trojans can come in many different varieties, but generally they do the followin Use the following free Microsoft software to detect and remove it: -- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows. +- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows. - [Microsoft Safety Scanner](safety-scanner-download.md) diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index fdf1e1e4bf..ab2471f894 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -43,7 +43,7 @@ To prevent unwanted software infection, download software only from official web Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer). -Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. +Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index 6b392dcc81..04c8f8280f 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -44,7 +44,7 @@ This image shows how a worm can quickly spread through a shared USB drive. ## How to protect against worms -Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. +Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 0490c8a9a6..771169d40b 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -1,6 +1,6 @@ --- title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) -description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions +description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. keywords: MBSA, security, removal ms.prod: w10 ms.mktglfcycl: deploy @@ -16,7 +16,7 @@ manager: dansimp Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. -MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/SCCM server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. +MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. ## The Solution A script can help you with an alternative to MBSA’s patch-compliance checking: diff --git a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md similarity index 62% rename from windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md rename to windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md index 9b7b2cffbf..e9fd6a400e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md @@ -1,7 +1,7 @@ --- -title: What to do with false positives/negatives in Windows Defender Antivirus -description: Did Windows Defender Antivirus miss or wrongly detect something? Find out what you can do. -keywords: Windows Defender Antivirus, false positives, false negatives, exclusions +title: What to do with false positives/negatives in Microsoft Defender Antivirus +description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do. +keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -12,43 +12,43 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 02/05/2020 +ms.date: 06/08/2020 ms.reviewer: shwetaj manager: dansimp audience: ITPro ms.topic: article --- -# What to do with false positives/negatives in Windows Defender Antivirus +# What to do with false positives/negatives in Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Windows Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web. +Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. -But what if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these things. You can: -- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis); -- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring); or -- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) by Windows Defender Antivirus. +What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can: +- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis) +- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring) +- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) ## Submit a file to Microsoft for analysis 1. Review the [submission guidelines](../intelligence/submission-guide.md). -2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission). +2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission). > [!TIP] > We recommend signing in at the submission portal so you can track the results of your submissions. ## Create an "Allow" indicator to prevent a false positive from recurring -If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Windows Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. +If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). ## Define an exclusion on an individual Windows device to prevent an item from being scanned -When you define an exclusion for Windows Defender Antivirus, you configure your antivirus to skip that item. +When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item. 1. On your Windows 10 device, open the Windows Security app. 2. Select **Virus & threat protection** > **Virus & threat protection settings**. @@ -59,14 +59,14 @@ The following table summarizes exclusion types, how they're defined, and what ha |Exclusion type |Defined by |What happens | |---------|---------|---------| -|**File** |Location
        Example: `c:\sample\sample.test` |The specified file is skipped by Windows Defender Antivirus. | -|**Folder** |Location
        Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. | -|**File type** |File extension
        Example: `.test` |All files with the specified extension anywhere on your device are skipped by Windows Defender Antivirus. | -|**Process** |Executable file path
        Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Windows Defender Antivirus. | +|**File** |Location
        Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. | +|**Folder** |Location
        Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. | +|**File type** |File extension
        Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. | +|**Process** |Executable file path
        Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | -To learn more, see: -- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus) -- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus) +To learn more, see: +- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) +- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) ## Related articles diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md similarity index 79% rename from windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md rename to windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md index 1cae26190b..691027c34e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -1,7 +1,7 @@ --- -title: Collect diagnostic data for Update Compliance and Windows Defender Windows Defender Antivirus -description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender Antivirus Assessment add in -keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av +title: Collect diagnostic data for Update Compliance and Windows Defender Microsoft Defender Antivirus +description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in +keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,15 +17,15 @@ ms.reviewer: manager: dansimp --- -# Collect Update Compliance diagnostic data for Windows Defender AV Assessment +# Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. +This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in. -Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps. +Before attempting this process, ensure you have read [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps. On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps: @@ -52,7 +52,7 @@ On at least two devices that are not reporting or showing up in Update Complianc 6. Send an email using the Update Compliance support email template, and fill out the template with the following information: ``` - I am encountering the following issue when using Windows Defender Antivirus in Update Compliance: + I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance: I have provided at least 2 support .cab files at the following location: @@ -63,5 +63,5 @@ On at least two devices that are not reporting or showing up in Update Complianc ## See also -- [Troubleshoot Windows Defender Windows Defender Antivirus reporting](troubleshoot-reporting.md) +- [Troubleshoot Windows Defender Microsoft Defender Antivirus reporting](troubleshoot-reporting.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md new file mode 100644 index 0000000000..e366bb2066 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -0,0 +1,95 @@ +--- +title: Collect diagnostic data of Microsoft Defender Antivirus +description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus +keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 06/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Collect Microsoft Defender AV diagnostic data + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV. + +On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps: + +1. Open an administrator-level version of the command prompt as follows: + + a. Open the **Start** menu. + + b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**. + + c. Enter administrator credentials or approve the prompt. + +2. Navigate to the Microsoft Defender directory. By default, this is `C:\Program Files\Windows Defender`. + +> [!NOTE] +> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`. + +3. Type the following command, and then press **Enter** + + ```Dos + mpcmdrun.exe -GetFiles + ``` + +4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. + +> [!NOTE] +> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
        For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share). + +5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. + +> [!NOTE] +>If you have a problem with Update compliance, send an email using the Update Compliance support email template, and fill out the template with the following information: +>``` +> I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance: +> I have provided at least 2 support .cab files at the following location: +> +> +> My OMS workspace ID is: +> +> Please contact me at: + +## Redirect diagnostic data to a UNC share +To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter. + +```Dos +mpcmdrun.exe -GetFiles -SupportLogLocation +``` + +Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration. + +When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path: + +```Dos +\\MpSupport--.cab +``` + +| field | Description | +|:----|:----| +| path | The path as specified on the commandline or retrieved from configuration +| MMDD | Month Day when the diagnostic data was collected (eg 0530) +| hostname | the hostname of the device on which the diagnostic data was collected. +| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422) + +> [!NOTE] +> When using a File share please make sure that account used to collect the diagnostic package has write access to the share. + +## See also + +- [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md) + diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md similarity index 67% rename from windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md index b42e1c8729..0286462e81 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Use the command line to manage Windows Defender Antivirus -description: Run Windows Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. +title: Use the command line to manage Microsoft Defender Antivirus +description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -16,18 +16,18 @@ ms.reviewer: ksarens manager: dansimp --- -# Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool +# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Windows Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt. +You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt. > [!NOTE] > You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. > -> If you're running an updated Windows Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`. +> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`. The utility has the following commands: @@ -36,15 +36,15 @@ MpCmdRun.exe [command] [-options] ``` Here's an example: ``` -MpCmdRun.exe -scan -2 +MpCmdRun.exe -Scan -ScanType 2 ``` | Command | Description | |:----|:----| | `-?` **or** `-h` | Displays all available options for this tool | -| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. | +| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. CpuThrottling will honor the configured CPU throttling from policy | | `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing | -| `-GetFiles` | Collects support information | +| `-GetFiles [-SupportLogLocation ]` | Collects support information. See '[collecting diagnostic data](collect-diagnostic-data.md)' | | `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder | | `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set | | `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence | @@ -58,5 +58,5 @@ MpCmdRun.exe -scan -2 ## Related topics -- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..9ca273c668 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md @@ -0,0 +1,45 @@ +--- +title: Manage Windows Defender in your business +description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV +keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Manage Microsoft Defender Antivirus in your business + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can manage and configure Microsoft Defender Antivirus with the following tools: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets +- Windows Management Instrumentation (WMI) +- The mpcmdrun.exe utility + +The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. + +## In this section + +Article | Description +---|--- +[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus +[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates +[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters +[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) +[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md similarity index 54% rename from windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md index 981c05b0ae..3464a06430 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Configure scanning options for Windows Defender AV -description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files). +title: Configure scanning options for Microsoft Defender AV +description: You can configure Microsoft Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files). keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,7 +17,7 @@ manager: dansimp --- -# Configure Windows Defender Antivirus scanning options +# Configure Microsoft Defender Antivirus scanning options **Applies to:** @@ -25,7 +25,7 @@ manager: dansimp **Use Microsoft Intune to configure scanning options** -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. @@ -41,16 +41,16 @@ To configure the Group Policy settings described in the following table: 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. 4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class ---|---|---|--- -See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` +Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` - Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` + Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` Scan packed executables | Scan > Scan packed executables | Enabled | Not available Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` @@ -64,7 +64,7 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif ## Use PowerShell to configure scanning options -See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Use WMI to configure scanning options @@ -72,32 +72,22 @@ For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft. ## Email scanning limitations -We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. - -Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails. - -You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: +Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: - DBX - MBX - MIME -PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. +PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files. -If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: +If Microsoft Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually: - Email subject - Attachment name ->[!WARNING] ->There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles: -> -> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) -> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) - ## Related topics -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) -- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) +- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md similarity index 65% rename from windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index af838d196f..5fb8feab26 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -22,35 +22,35 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. +Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. -You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. +You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. >[!TIP] >Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. ## How it works -When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. +When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). -![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. -If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. +If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. In many cases, this process can reduce the response time for new malware from hours to seconds. ## Confirm and validate that block at first sight is enabled -Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments. +Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments. ### Confirm block at first sight is enabled with Intune -1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Windows Defender Antivirus**. +1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**. > [!NOTE] > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. @@ -65,11 +65,11 @@ Block at first sight requires a number of settings to be configured correctly or ![Intune config](images/defender/intune-block-at-first-sight.png) > [!WARNING] - > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). + > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus). -For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus). +For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus). ### Enable block at first sight with Microsoft Endpoint Configuration Manager @@ -100,7 +100,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. @@ -109,7 +109,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev > [!WARNING] > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. -4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**: +4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**: 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. @@ -117,14 +117,28 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. -### Confirm block at first sight is enabled with the Windows Security app +### Confirm block at first sight is enabled with Registry editor -You can confirm that block at first sight is enabled in your Windows security settings. +1. Start Registry Editor. -Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on. +2. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet**, and make sure that + + 1. **SpynetReporting** key is set to **1** + + 2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples) + +3. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection**, and make sure that + + 1. **DisableIOAVProtection** key is set to **0** + + 2. **DisableRealtimeMonitoring** key is set to **0** ### Confirm Block at First Sight is enabled on individual clients +You can confirm that block at first sight is enabled on individual clients using Windows security settings. + +Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on. + 1. Open the Windows Security app. 2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**. @@ -138,7 +152,7 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote ### Validate block at first sight is working -You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). +You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). ## Disable block at first sight @@ -153,7 +167,7 @@ You may choose to disable block at first sight if you want to retain the prerequ 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**. +3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**. 4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. @@ -162,5 +176,5 @@ You may choose to disable block at first sight if you want to retain the prerequ ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md similarity index 52% rename from windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md index 1b9c177447..7840be58fc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Configure the Windows Defender AV cloud block timeout period -description: You can configure how long Windows Defender Antivirus will block a file from running while waiting for a cloud determination. -keywords: windows defender antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds +title: Configure the Microsoft Defender AV cloud block timeout period +description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination. +keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -24,13 +24,13 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). +When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). -The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud service. +The default period that the file will be [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service. ## Prerequisites to use the extended cloud block timeout -[Block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period. +[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period. ## Specify the extended timeout period @@ -40,7 +40,7 @@ You can use Group Policy to specify an extended timeout for cloud checks. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine** +3. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine** 4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds. @@ -48,7 +48,7 @@ You can use Group Policy to specify an extended timeout for cloud checks. ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..b7af3e0452 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md @@ -0,0 +1,36 @@ +--- +title: Configure how users can interact with Microsoft Defender AV +description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings. +keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure end-user interaction with Microsoft Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus. + +This includes whether they see the Microsoft Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings. + +## In this section + +Topic | Description +---|--- +[Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation +[Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) | Hide the user interface from users +[Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..78dd9f20a7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md @@ -0,0 +1,37 @@ +--- +title: Set up exclusions for Microsoft Defender AV scans +description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell. +keywords: +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 03/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Configure and validate exclusions for Microsoft Defender Antivirus scans + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. + +>[!WARNING] +>Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. + +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. + +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process. + +## Related articles + +[Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md similarity index 68% rename from windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index bc096eac9e..213731cfa6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure and validate exclusions based on extension, name, or location -description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location. +description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -23,11 +23,11 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!IMPORTANT] -> Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). +> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). ## Exclusion lists -You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. @@ -43,28 +43,28 @@ A specific process | The executable file `c:\test\process.exe` | File and folder Exclusion lists have the following characteristics: -- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. -- File extensions will apply to any file name with the defined extension if a path or folder is not defined. +- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. +- File extensions apply to any file name with the defined extension if a path or folder is not defined. >[!IMPORTANT] ->The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. +>Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. > >You cannot exclude mapped network drives. You must specify the actual network path. > ->Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. +>Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. -To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). +To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md). >[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > >Changes made in the Windows Security app **will not show** in the Group Policy lists. -By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts. +By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts. -You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. ## Configure the list of exclusions based on folder name or file extension @@ -72,7 +72,7 @@ You can [configure how locally and globally defined exclusions lists are merged] See the following articles: - [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) -- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) +- [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) ### Use Configuration Manager to configure file name, folder, or file extension exclusions @@ -87,14 +87,14 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**. 4. Double-click the **Path Exclusions** setting and add the exclusions. - - Set the option to **Enabled**. + - Set the option to **Enabled**. - Under the **Options** section, click **Show...**. - - Specify each folder on its own line under the **Value name** column. - - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. + - Specify each folder on its own line under the **Value name** column. + - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. 5. Click **OK**. @@ -140,13 +140,13 @@ All files under a folder (including files in subdirectories), or a specific file >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. -For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the `.test` file extension: +For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file with the `.test` file extension: ```PowerShell Add-MpPreference -ExclusionExtension ".test" ``` -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions @@ -165,7 +165,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.c ### Use the Windows Security app to configure file name, folder, or file extension exclusions -See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. +See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions. @@ -178,14 +178,14 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such > >- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. >- You cannot use a wildcard in place of a drive letter. ->- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. +>- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples. |Wildcard |Examples | |---------|---------| -|`*` (asterisk)

        In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

        In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

        `C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

        `C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | +|`*` (asterisk)

        In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

        In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

        `C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

        `C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | |`?` (question mark)

        In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

        In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`

        `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

        `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | |Environment variables

        The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | @@ -206,30 +206,30 @@ You can retrieve the items in the exclusion list using one of the following meth - [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) - MpCmdRun - PowerShell -- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions) +- [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) >[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > >Changes made in the Windows Security app **will not show** in the Group Policy lists. If you use PowerShell, you can retrieve the list in two ways: -- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. ### Validate the exclusion list by using MpCmdRun -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: ```DOS MpCmdRun.exe -CheckExclusion -path ``` >[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. +>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. -### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell +### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell Use the following cmdlet: @@ -241,7 +241,7 @@ In the following example, the items contained in the `ExclusionExtension` list a ![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ### Retrieve a specific exclusions list by using PowerShell @@ -257,7 +257,7 @@ In the following example, the list is split into new lines for each use of the ` ![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). @@ -271,7 +271,7 @@ In the following PowerShell snippet, replace *test.txt* with a file that conform Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" ``` -If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). +If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: @@ -290,6 +290,6 @@ You can also copy the string into a blank text file and attempt to save it with ## Related topics -- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md similarity index 62% rename from windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md index 59f19f11c9..16fc08a832 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Configure local overrides for Windows Defender AV settings -description: Enable or disable users from locally changing settings in Windows Defender AV. +title: Configure local overrides for Microsoft Defender AV settings +description: Enable or disable users from locally changing settings in Microsoft Defender AV. keywords: local override, local policy, group policy, gpo, lockdown,merge, lists search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,21 +17,21 @@ ms.reviewer: manager: dansimp --- -# Prevent or allow users to locally modify Windows Defender Antivirus policy settings +# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. +By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use. -## Configure local overrides for Windows Defender Antivirus settings +## Configure local overrides for Microsoft Defender Antivirus settings The default setting for these policies is **Disabled**. -If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate). +If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](microsoft-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate). The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting. @@ -41,7 +41,7 @@ To configure these settings: 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. 4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. @@ -49,25 +49,25 @@ To configure these settings: Location | Setting | Article ---|---|---|--- -MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) -Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-windows-defender-antivirus.md) -Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) +Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) +Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-microsoft-defender-antivirus.md) +Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) ## Configure how locally and globally defined threat remediation and exclusions lists are merged -You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md), [specified remediation lists](configure-remediation-windows-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction). +You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-microsoft-defender-antivirus.md), [specified remediation lists](configure-remediation-microsoft-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction). By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. @@ -79,7 +79,7 @@ You can disable this setting to ensure that only globally-defined lists (such as 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. 4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**. @@ -88,5 +88,5 @@ You can disable this setting to ensure that only globally-defined lists (such as ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md new file mode 100644 index 0000000000..3f6f29e47b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -0,0 +1,49 @@ +--- +title: Configure Microsoft Defender Antivirus features +description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. +keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure Microsoft Defender Antivirus features + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can configure Microsoft Defender Antivirus with a number of tools, including: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets +- Windows Management Instrumentation (WMI) + +The following broad categories of features can be configured: + +- Cloud-delivered protection +- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection +- How end-users interact with the client on individual endpoints + +The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). + +You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. + +## In this section +Topic | Description +:---|:--- +[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection +[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection +[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md similarity index 55% rename from windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 69f56da605..db0d9fed09 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Configure and validate Windows Defender Antivirus network connections -description: Configure and test your connection to the Windows Defender Antivirus cloud protection service. -keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level +title: Configure and validate Microsoft Defender Antivirus network connections +description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service. +keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Configure and validate Windows Defender Antivirus network connections +# Configure and validate Microsoft Defender Antivirus network connections **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. +To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services. @@ -36,14 +36,14 @@ See the blog post [Important changes to Microsoft Active Protection Services end >- Fast learning (including block at first sight) >- Potentially unwanted application blocking -## Allow connections to the Windows Defender Antivirus cloud service +## Allow connections to the Microsoft Defender Antivirus cloud service -The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. +The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. >[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. @@ -52,34 +52,34 @@ Because your protection is a cloud service, computers must have access to the in | **Service**| **Description** |**URL** | | :--: | :-- | :-- | -| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
        `*.wdcpalt.microsoft.com`
        `*.wd.microsoft.com`| +| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
        `*.wdcpalt.microsoft.com`
        `*.wd.microsoft.com`| | Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`| -|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| +|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
        `ussus1westprod.blob.core.windows.net`
        `usseu1northprod.blob.core.windows.net`
        `usseu1westprod.blob.core.windows.net`
        `ussuk1southprod.blob.core.windows.net`
        `ussuk1westprod.blob.core.windows.net`
        `ussas1eastprod.blob.core.windows.net`
        `ussas1southeastprod.blob.core.windows.net`
        `ussau1eastprod.blob.core.windows.net`
        `ussau1southeastprod.blob.core.windows.net` | | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
        `https://www.microsoft.com/pkiops/certs`
        `https://crl.microsoft.com/pki/crl/products`
        `https://www.microsoft.com/pki/certs` | -| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
        `settings-win.data.microsoft.com`| +| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
        `settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud -After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. +After whitelisting the URLs listed above, you can test if you are connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. **Use the cmdline tool to validate cloud-delivered protection:** -Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service: +Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service: -```DOS +```console "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection ``` > [!NOTE] > You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. -For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md). +For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md). **Attempt to download a fake malware file from Microsoft:** -You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud. +You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud. Download the file by visiting the following link: - https://aka.ms/ioavtest @@ -87,9 +87,7 @@ Download the file by visiting the following link: >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. -If you are properly connected, you will see a warning Windows Defender Antivirus notification: - -![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png) +If you are properly connected, you will see a warning Microsoft Defender Antivirus notification. If you are using Microsoft Edge, you'll also see a notification message: @@ -97,7 +95,7 @@ If you are using Microsoft Edge, you'll also see a notification message: A similar message occurs if you are using Internet Explorer: -![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png) +![Microsoft Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png) You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app: @@ -107,24 +105,22 @@ You will also see a detection under **Quarantined threats** in the **Scan histor ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: +3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware. - ![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png) + > [!NOTE] + > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). ->[!NOTE] ->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md). - -The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). + The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md). >[!IMPORTANT] >You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. ## Related articles -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) -- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) +- [Run an Microsoft Defender Antivirus scan from the command line](command-line-arguments-microsoft-defender-antivirus.md) and [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md) - [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md similarity index 83% rename from windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md index ef9bf3607a..57a0ea6f0e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Configure Windows Defender Antivirus notifications -description: Configure and customize Windows Defender Antivirus notifications. +title: Configure Microsoft Defender Antivirus notifications +description: Configure and customize Microsoft Defender Antivirus notifications. keywords: notifications, defender, antivirus, endpoint, management, admin search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -31,7 +31,7 @@ You can also configure how standard notifications appear on endpoints, such as n ## Configure the additional notifications that appear on endpoints -You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy. +You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy. > [!NOTE] > In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**. @@ -59,7 +59,7 @@ You can configure the display of additional notifications, such as recent threat 3. Click **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Reporting**. 5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. @@ -71,7 +71,7 @@ You can use Group Policy to: - Hide all notifications on endpoints - Hide reboot notifications on endpoints -Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. +Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information. > [!NOTE] > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). @@ -84,7 +84,7 @@ See [Customize the Windows Security app for your organization](../windows-defend 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**. 4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. @@ -96,11 +96,11 @@ See [Customize the Windows Security app for your organization](../windows-defend 3. Click **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**. 5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md similarity index 69% rename from windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 1b19f98ccd..ffe624dd8e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- title: Configure exclusions for files opened by specific processes description: You can exclude files from scans if they have been opened by a specific process. -keywords: Windows Defender Antivirus, process, exclusion, files, scans +keywords: Microsoft Defender Antivirus, process, exclusion, files, scans search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -22,7 +22,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. +You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. This topic describes how to configure exclusion lists for the following: @@ -34,11 +34,11 @@ Any file on the machine that is opened by any process with a specific file name Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
        • c:\test\sample\test.exe
        • c:\test\sample\test2.exe
        • c:\test\sample\utility.exe
        Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe -When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). +When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md). -The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans. +The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). They don't apply to scheduled or on-demand scans. -Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. +Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. @@ -46,7 +46,7 @@ You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](# By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. -You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. ## Configure the list of exclusions for files opened by specified processes @@ -54,7 +54,7 @@ You can [configure how locally and globally defined exclusions lists are merged] ### Use Microsoft Intune to exclude files that have been opened by specified processes from scans -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. ### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans @@ -66,7 +66,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**. 4. Double-click **Process Exclusions** and add the exclusions: @@ -101,13 +101,13 @@ Remove items from the list | `Remove-MpPreference` >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. -For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process: +For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file that is opened by the specified process: ```PowerShell Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans @@ -127,7 +127,7 @@ See the following for more information and allowed parameters: ### Use the Windows Security app to exclude files that have been opened by specified processes from scans -See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. +See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions. @@ -149,26 +149,26 @@ Environment variables | The defined variable will be populated as a path when th ## Review the list of exclusions -You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: -- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. ### Validate the exclusion list by using MpCmdRun -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: ```DOS MpCmdRun.exe -CheckExclusion -path ``` >[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. +>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. -### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell +### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell Use the following cmdlet: @@ -176,7 +176,7 @@ Use the following cmdlet: Get-MpPreference ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Retrieve a specific exclusions list by using PowerShell @@ -187,12 +187,12 @@ $WDAVprefs = Get-MpPreference $WDAVprefs.ExclusionProcess ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Related articles -- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md similarity index 51% rename from windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md index 8e6f966e08..2f09169a15 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Enable and configure Windows Defender Antivirus protection features -description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV. -keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender +title: Enable and configure Microsoft Defender Antivirus protection features +description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender AV. +keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -23,21 +23,21 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus uses several methods to provide threat protection: +Microsoft Defender Antivirus uses several methods to provide threat protection: - Cloud-delivered protection for near-instant detection and blocking of new and emerging threats - Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection") - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research -You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI). +You can configure how Microsoft Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI). This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware. -See [Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for how to enable and configure Windows Defender Antivirus cloud-delivered protection. +See [Use next-gen Microsoft Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for how to enable and configure Microsoft Defender Antivirus cloud-delivered protection. ## In this section Topic | Description ---|--- -[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps -[Enable and configure Windows Defender Antivirus protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Windows Defender Antivirus monitoring features +[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps +[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..727463b3d6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md @@ -0,0 +1,133 @@ +--- +title: Enable and configure Microsoft Defender Antivirus protection capabilities +description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning +keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.date: 12/16/2019 +ms.reviewer: +manager: dansimp +ms.custom: nextgen +--- + +# Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. + +These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure. + +## Enable and configure always-on protection in Group Policy + +You can use **Local Group Policy Editor** to enable and configure Microsoft Defender Antivirus always-on protection settings. + +To enable and configure always-on protection: + +1. Open **Local Group Policy Editor**. To do this: + + 1. In your Windows 10 taskbar search box, type **gpedit**. + + 1. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**. + + ![GPEdit taskbar search result](images/gpedit-search.png) + +2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**. + +3. Configure the Microsoft Defender Antivirus antimalware service policy settings. To do this: + + 1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table: + + | Setting | Description | Default setting | + |-----------------------------|------------------------|-------------------------------| + | Allow antimalware service to startup with normal priority | You can lower the priority of the Microsoft Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled + | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled | + + 1. Configure the setting as appropriate, and click **OK**. + + 1. Repeat the previous steps for each setting in the table. + +4. Configure the Microsoft Defender Antivirus real-time protection policy settings. To do this: + + 1. In the **Microsoft Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Microsoft Defender Antivirus** tree on left pane, click **Real-time Protection**. + + 1. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table: + + | Setting | Description | Default setting | + |-----------------------------|------------------------|-------------------------------| + | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled | + | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled | + | Monitor file and program activity on your computer | The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled | + | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled | + | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled | + | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled | + | Configure local setting override for turn on behavior monitoring | Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled | + | Configure local setting override for scanning all downloaded files and attachments | Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled | + | Configure local setting override for monitoring file and program activity on your computer | Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled | + | Configure local setting override to turn on real-time protection | Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled | + | Configure local setting override for monitoring for incoming and outgoing file activity | Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. | Enabled | + | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) | + + 1. Configure the setting as appropriate, and click **OK**. + + 1. Repeat the previous steps for each setting in the table. + +5. Configure the Microsoft Defender Antivirus scanning policy setting. To do this: + + 1. From the **Microsoft Defender Antivirus** tree on left pane, click **Scan**. + + ![Microsoft Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png) + + 1. In the **Scan** details pane on right, double-click the policy setting as specified in the following table: + + | Setting | Description | Default setting | + |-----------------------------|------------------------|-------------------------------| + | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity. | Enabled | + + 1. Configure the setting as appropriate, and click **OK**. + +6. Close **Local Group Policy Editor**. + + +## Disable real-time protection in Group Policy + +> [!WARNING] +> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended. + +The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**. + +To disable real-time protection in Group policy: + +1. Open **Local Group Policy Editor**. + + 1. In your Windows 10 taskbar search box, type **gpedit**. + + 1. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**. + +2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**. + +3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**. + + ![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png) + +4. In the **Turn off real-time protection** setting window, set the option to **Enabled**. + + ![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png) + +5. Click **OK**. + +6. Close **Local Group Policy Editor**. + +## Related articles + +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..f8ac6071ef --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md @@ -0,0 +1,72 @@ +--- +title: Remediate and resolve infections detected by Microsoft Defender Antivirus +description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +keywords: remediation, fix, remove, threats, quarantine, scan, restore +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure remediation for Microsoft Defender Antivirus scans + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. + +This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). + +You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. + +## Configure remediation options + +You can configure how remediation works with the Group Policy settings described in this section. + +To configure these settings: + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. + +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled +Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days +Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) +Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed +Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable +Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable + +> [!IMPORTANT] +> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. +>

        +> If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md). +>

        +> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md). + +Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings. + +## Related topics + +- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) +- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) +- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +- [Configure end-user Microsoft Defender Antivirus interaction](configure-end-user-interaction-microsoft-defender-antivirus.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md similarity index 85% rename from windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index 97a45e8794..66adf9c4d6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 or 2019 +title: Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019 ms.reviewer: manager: dansimp description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions. -keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus +keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -16,20 +16,20 @@ ms.author: deniseb ms.custom: nextgen --- -# Configure Windows Defender Antivirus exclusions on Windows Server +# Configure Microsoft Defender Antivirus exclusions on Windows Server **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > [!NOTE] > Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles: -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) ## A few points to keep in mind @@ -39,7 +39,7 @@ In addition to server role-defined automatic exclusions, you can add or remove c - Custom and duplicate exclusions do not conflict with automatic exclusions. -- Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. +- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. ## Opt out of automatic exclusions @@ -48,7 +48,7 @@ In Windows Server 2016 and 2019, the predefined exclusions delivered by Security > [!WARNING] > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. -Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . +Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. @@ -58,7 +58,7 @@ You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl 2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Exclusions**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. 4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**. @@ -70,9 +70,9 @@ Use the following cmdlets: Set-MpPreference -DisableAutoExclusions $true ``` -[Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md). +[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). -[Use PowerShell with Windows Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +[Use PowerShell with Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019 @@ -168,7 +168,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` > [!NOTE] - > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions). + > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#opt-out-of-automatic-exclusions). - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ @@ -284,8 +284,6 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\ - %windir%\Ntds\Ntds*.pat -- %windir%\Ntds\EDB*.log - - %windir%\Ntds\TEMP.edb #### The NTDS working folder @@ -402,12 +400,12 @@ This section lists the folder exclusions that are delivered automatically when y ## Related articles -- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..0a108f47da --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md @@ -0,0 +1,37 @@ +--- +title: Run and customize scheduled and on-demand scans +description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. +keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. + +## In this section + +Topic | Description +---|--- +[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning +[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning +[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans +[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app +[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md new file mode 100644 index 0000000000..0a108f47da --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -0,0 +1,37 @@ +--- +title: Run and customize scheduled and on-demand scans +description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. +keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. + +## In this section + +Topic | Description +---|--- +[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning +[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning +[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans +[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app +[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md similarity index 62% rename from windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md index faaa2c10dd..b9406da6f4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Deploy, manage, and report on Windows Defender Antivirus -description: You can deploy and manage Windows Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI -keywords: deploy, manage, update, protection, windows defender antivirus +title: Deploy, manage, and report on Microsoft Defender Antivirus +description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI +keywords: deploy, manage, update, protection, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,40 +17,40 @@ ms.reviewer: manager: dansimp --- -# Deploy, manage, and report on Windows Defender Antivirus +# Deploy, manage, and report on Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. +You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways. -Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. +Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. You'll also see additional links for: -- Managing Windows Defender Antivirus protection, including managing product and protection updates -- Reporting on Windows Defender Antivirus protection +- Managing Microsoft Defender Antivirus protection, including managing product and protection updates +- Reporting on Microsoft Defender Antivirus protection > [!IMPORTANT] -> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows Defender Antivirus. +> In most cases, Windows 10 will disable Microsoft Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Microsoft Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Microsoft Defender Antivirus. Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] -Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] +Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) -2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) +2. In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) -3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2) +3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Microsoft Defender Antivirus features](configure-notifications-microsoft-defender-antivirus.md) section in this library. [(Return to table)](#ref2) [Endpoint Protection point site system role]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-protection-site-role [default and customized antimalware policies]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies @@ -70,16 +70,16 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by [Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md [Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature [Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index -[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md -[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md +[Configure update options for Microsoft Defender Antivirus]: manage-updates-baselines-microsoft-defender-antivirus.md +[Configure Windows Defender features]: configure-microsoft-defender-antivirus-features.md [Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/library/cc771389.aspx [Possibly infected devices]: https://docs.microsoft.com/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices -[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md +[Microsoft Defender Antivirus events]: troubleshoot-microsoft-defender-antivirus.md ## In this section Topic | Description ---|--- -[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. -[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. -[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. +[Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. +[Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) | There are two parts to updating Microsoft Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. +[Monitor and report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..6e0bb71ecc --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md @@ -0,0 +1,38 @@ +--- +title: Deploy and enable Microsoft Defender Antivirus +description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. +keywords: deploy, enable, Microsoft Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Deploy and enable Microsoft Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection. + +See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). + +Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. + +The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). + +## Related topics + +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md similarity index 84% rename from windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index ad266974fa..a906762b9a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Antivirus Virtual Desktop Infrastructure deployment guide -description: Learn how to deploy Windows Defender Antivirus in a virtual desktop environment for the best balance between protection and performance. +title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment guide +description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance. keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment +# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. +In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support. @@ -41,10 +41,10 @@ This guide describes how to configure your VMs for optimal protection and perfor - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline) - [Apply exclusions](#exclusions) -You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI. +You can also download the whitepaper [Microsoft Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI. > [!IMPORTANT] -> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
        There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607. +> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
        There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607. ### Set up a dedicated VDI file share @@ -116,7 +116,7 @@ The profile will now be deployed to the impacted devices. This may take some tim 3. Click **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. @@ -192,11 +192,11 @@ If you would prefer to do everything manually, this what you would need to do to ### Randomize scheduled scans -Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md). +Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). -The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Windows Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. +The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. -See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans. +See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans. ### Use quick scans @@ -211,7 +211,7 @@ Quick scans are the preferred approach as they are designed to look in all place ### Prevent notifications -Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface. +Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface. 1. Expand the tree to **Windows components > Windows Defender > Client Interface**. @@ -219,7 +219,7 @@ Sometimes, Windows Defender Antivirus notifications may be sent to or persist ac 3. Click **OK**. -This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. +This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. ### Disable scans after an update @@ -253,11 +253,11 @@ This forces a scan if the VM has missed two or more consecutive scheduled scans. 2. Click **OK**. -This hides the entire Windows Defender AV user interface from users. +This hides the entire Microsoft Defender AV user interface from users. ### Exclusions -On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus). +On Windows Server 2016, Microsoft Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus). ## Additional resources diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md similarity index 77% rename from windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 3fb436099a..3345190e01 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Block potentially unwanted applications with Windows Defender Antivirus +title: Block potentially unwanted applications with Microsoft Defender Antivirus description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. -keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus +keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -41,7 +41,7 @@ Potentially unwanted applications can increase the risk of your network being in ### Microsoft Edge -The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). +The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). #### Enable PUA protection in Chromium-based Microsoft Edge @@ -62,22 +62,22 @@ Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. -Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains-preview) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. +Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. -### Windows Defender Antivirus +### Microsoft Defender Antivirus -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] > This feature is only available in Windows 10. -Windows Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. +Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA file is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. +When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. -The notification appears in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). +The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). -#### Configure PUA protection in Windows Defender Antivirus +#### Configure PUA protection in Microsoft Defender Antivirus You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. @@ -90,7 +90,7 @@ PUA audit mode is useful if your company is conducting an internal software secu ##### Use Intune to configure PUA protection -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. ##### Use Configuration Manager to configure PUA protection @@ -101,7 +101,7 @@ See [How to create and deploy antimalware policies: Scheduled scans settings](ht For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] -> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. +> PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. ##### Use Group Policy to configure PUA protection @@ -109,7 +109,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. 4. Double-click **Configure protection for potentially unwanted applications**. @@ -142,7 +142,7 @@ Set-MpPreference -PUAProtection disable ``` Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. #### View PUA events @@ -150,13 +150,13 @@ PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoi You can turn on email notifications to receive mail about PUA detections. -See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. +See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. #### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. ## Related articles -- [Next-generation protection](windows-defender-antivirus-in-windows-10.md) -- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) +- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..84f310871d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -0,0 +1,147 @@ +--- +title: Enable cloud-delivered protection in Microsoft Defender Antivirus +description: Enable cloud-delivered protection to benefit from fast and advanced protection features. +keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.reviewer: +manager: dansimp +ms.custom: nextgen +--- + +# Enable cloud-delivered protection + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> [!NOTE] +> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. + +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) + +You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. + +See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection. + +There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details. + +> [!NOTE] +> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. + +## Use Intune to enable cloud-delivered protection + +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **All services > Intune**. +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. +5. On the **Cloud-delivered protection** switch, select **Enable**. +6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. +7. In the **Submit samples consent** dropdown, select one of the following: + + - **Send safe samples automatically** + - **Send all samples automatically** + + >[!NOTE] + > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + + > [!WARNING] + > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + +8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. + +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) + +## Use Configuration Manager to enable cloud-delivered protection + +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). + +## Use Group Policy to enable cloud-delivered protection + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Select **Administrative templates**. + +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS** + +5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. + +6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following: + + 1. **Send safe samples** (1) + 2. **Send all samples** (3) + + >[!NOTE] + > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + + > [!WARNING] + > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + +7. Click **OK**. + +## Use PowerShell cmdlets to enable cloud-delivered protection + +Use the following cmdlets to enable cloud-delivered protection: + +```PowerShell +Set-MpPreference -MAPSReporting Advanced +Set-MpPreference -SubmitSamplesConsent SendAllSamples +``` + +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). + +>[!NOTE] +> You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + +>[!WARNING] +> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + +## Use Windows Management Instruction (WMI) to enable cloud-delivered protection + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: + +```WMI +MAPSReporting +SubmitSamplesConsent +``` + +See the following for more information and allowed parameters: + +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) + +## Enable cloud-delivered protection on individual clients with the Windows Security app + +> [!NOTE] +> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + +3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + +>[!NOTE] +>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. + +## Related topics + +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) +- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) +- [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) +- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] +- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) +- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md similarity index 62% rename from windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md index 6173192baf..1c2dec92b5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Evaluate Windows Defender Antivirus -description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10. -keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection +title: Evaluate Microsoft Defender Antivirus +description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10. +keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Evaluate Windows Defender Antivirus +# Evaluate Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. +Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. >[!TIP] >You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: @@ -31,7 +31,7 @@ Use this guide to determine how well Windows Defender Antivirus protects you fro >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking -It explains the important next generation protection features of Windows Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network. +It explains the important next generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network. You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings. @@ -44,11 +44,11 @@ You can also download a PowerShell that will enable all the settings described i - [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings) > [!IMPORTANT] -> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment. +> The guide is currently intended for single-machine evaluation of Microsoft Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment. > -> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md). +> For the latest recommendations for real-world deployment and monitoring of Microsoft Defender Antivirus across a network, see [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md). ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg b/windows/security/threat-protection/microsoft-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/atp-portal-onboarding-page.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/atp-portal-onboarding-page.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender-updatedefs2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender-updatedefs2.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/client.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/client.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/intune-block-at-first-sight.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/intune-block-at-first-sight.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/notification.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/notification.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-advanced-settings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-advanced-settings.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-cloud-protection-service.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-cloud-protection-service.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-real-time-protection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-real-time-protection.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-wdo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-wdo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-edge.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-edge.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-ie.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-ie.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-extension-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-extension-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreat.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreat.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1607.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1607.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1703.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1703.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-malware-detected.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-malware-detected.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-order-update-sources.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-order-update-sources.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-path-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-path-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-process-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-process-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-settings-old.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-settings-old.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc-defs.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc-defs.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-windows-defender-app-old.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-windows-defender-app-old.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-administrative-templates.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-administrative-templates.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-administrative-templates.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-administrative-templates.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-real-time-protection.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-real-time-protection.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-real-time-protection.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-real-time-protection.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-search.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-search.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-search.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-search.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/jamf-onboarding.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/jamf-onboarding.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-1-registerapp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-1-registerapp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-10-clientapps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-10-clientapps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-11-assignments.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-11-assignments.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-12-deviceinstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-12-deviceinstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-13-systempreferences.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-13-systempreferences.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-15-managementprofileconfig.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-15-managementprofileconfig.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-16-preferencedomain.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-16-preferencedomain.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-17-approvedkernelextensions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-17-approvedkernelextensions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-18-configurationprofilesscope.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-18-configurationprofilesscope.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-21-mdmprofile1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-21-mdmprofile1.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-22-mdmprofileapproved.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-22-mdmprofileapproved.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-23-mdmstatus.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-23-mdmstatus.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-24-statusonserver.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-24-statusonserver.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-25-statusonclient.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-25-statusonclient.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-26-uninstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-26-uninstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-27-uninstallscript.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-27-uninstallscript.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-28-appinstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-28-appinstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-29-appinstalllogin.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-29-appinstalllogin.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-30-systemextension.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-30-systemextension.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-31-securityprivacysettings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-31-securityprivacysettings.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-32-main-app-fix.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-32-main-app-fix.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-34-mau.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-34-mau.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-36-rtp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-36-rtp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-37-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-37-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-4-managementprofile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-4-managementprofile.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-5-alldevices.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-5-alldevices.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/server-add-gui.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/server-add-gui.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg b/windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-no.svg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-no.svg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg b/windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-yes.svg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-yes.svg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperattemptalert.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperattemptalert.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectionturnedon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectionturnedon.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectsecurityrecos.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectsecurityrecos.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-alert.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-alert.jpg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-huntingquery.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-huntingquery.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-windowssecurityapp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-windowssecurityapp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-consumer.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-consumer.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-enterprise.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-enterprise.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-intune.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-intune.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotection.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps-on.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps-on.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-wdav.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-wdav.png diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..545f77a114 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md @@ -0,0 +1,51 @@ +--- +title: Enable the limited periodic Microsoft Defender Antivirus scanning feature +description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers +keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + + + +# Use limited periodic scanning in Microsoft Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. + +It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md). + +**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. + +## How to enable limited periodic scanning + +By default, Microsoft Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly. + +If Microsoft Defender Antivirus is enabled, the usual options will appear to configure it on that device: + +![Windows Security app showing Microsoft Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png) + +If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options. + +Underneath any third party AV products, a new link will appear as **Microsoft Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. Note that the limited periodic option is a toggle to enable or disable periodic scanning. + +Sliding the switch to **On** will show the standard Microsoft Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page. + +## Related articles + +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md similarity index 65% rename from windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md index 20d523d368..c29455e452 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Apply Windows Defender Antivirus updates after certain events -description: Manage how Windows Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. +title: Apply Microsoft Defender Antivirus updates after certain events +description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. keywords: updates, protection, force updates, events, startup, check for latest, notifications search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -23,11 +23,11 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. +Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. ## Check for protection updates before running a scan -You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan. +You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan. ### Use Configuration Manager to check for protection updates before running a scan @@ -47,7 +47,7 @@ You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. 5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**. @@ -61,7 +61,7 @@ Use the following cmdlets: Set-MpPreference -CheckForSignaturesBeforeRunningScan ``` -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index). +For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index). ### Use Windows Management Instruction (WMI) to check for protection updates before running a scan @@ -75,7 +75,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.c ## Check for protection updates on startup -You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started. +You can use Group Policy to force Microsoft Defender Antivirus to check and download protection updates when the machine is started. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. @@ -83,15 +83,15 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. 5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**. 6. Click **OK**. -You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running. +You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it is not running. -### Use Group Policy to download updates when Windows Defender Antivirus is not present +### Use Group Policy to download updates when Microsoft Defender Antivirus is not present 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. @@ -99,13 +99,13 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**. 6. Click **OK**. -### Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present +### Use PowerShell cmdlets to download updates when Microsoft Defender Antivirus is not present Use the following cmdlets: @@ -113,9 +113,9 @@ Use the following cmdlets: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine ``` -For more information, see [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +For more information, see [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present +### Use Windows Management Instruction (WMI) to download updates when Microsoft Defender Antivirus is not present Use the [**Set** method of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties: @@ -129,9 +129,9 @@ For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.c ## Allow ad hoc changes to protection based on cloud-delivered protection -Windows Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates. +Microsoft Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates. -If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied. +If you have enabled cloud-delivered protection, Microsoft Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender AV to automatically receive that protection update. Other important protection updates can also be applied. ### Use Group Policy to automatically download recent updates based on cloud-delivered protection @@ -141,7 +141,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. 5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. @@ -152,9 +152,9 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md similarity index 66% rename from windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md index 9a6e186de0..8956c31df7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Apply Windows Defender AV protection updates to out of date endpoints +title: Apply Microsoft Defender AV protection updates to out of date endpoints description: Define when and how updates should be applied for endpoints that have not updated in a while. keywords: updates, protection, out-of-date, outdated, old, catch-up search.product: eADQiWindows 10XVcnh @@ -17,21 +17,21 @@ ms.reviewer: manager: dansimp --- -# Manage Windows Defender Antivirus updates and scans for endpoints that are out of date +# Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. +Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time. -When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and download the latest protection updates, and run a scan. +When the user returns to work and logs on to their PC, Microsoft Defender Antivirus will immediately check and download the latest protection updates, and run a scan. ## Set up catch-up protection updates for endpoints that haven't updated for a while -If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md). +If Microsoft Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-microsoft-defender-antivirus.md). ### Use Configuration Manager to configure catch-up protection updates @@ -40,7 +40,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie 2. Go to the **Security intelligence updates** section and configure the following settings: 1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**. - 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order). + 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order). 3. Click **OK**. @@ -54,9 +54,9 @@ If Windows Defender Antivirus did not download protection updates for a specifie 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates**. -5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update. +5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to check for and download the latest protection update. 6. Click **OK**. @@ -68,7 +68,7 @@ Use the following cmdlets: Set-MpPreference -SignatureUpdateCatchupInterval ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Use Windows Management Instruction (WMI) to configure catch-up protection updates @@ -84,7 +84,7 @@ See the following for more information and allowed parameters: ## Set the number of days before protection is reported as out-of-date -You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. +You can also specify the number of days after which Microsoft Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Microsoft Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. ### Use Group Policy to specify the number of days before protection is considered out-of-date @@ -94,24 +94,24 @@ You can also specify the number of days after which Windows Defender Antivirus p 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: - 1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider spyware Security intelligence to be out-of-date. + 1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider spyware Security intelligence to be out-of-date. 2. Click **OK**. - 3. Double-click **Define the number of days before virus definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider virus Security intelligence to be out-of-date. + 3. Double-click **Define the number of days before virus definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider virus Security intelligence to be out-of-date. 4. Click **OK**. ## Set up catch-up scans for endpoints that have not been scanned for a while -You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan. +You can set the number of consecutive scheduled scans that can be missed before Microsoft Defender Antivirus will force a scan. The process for enabling this feature is: -1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). +1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic). 2. Enable the catch-up scan feature. 3. Define the number of scans that can be skipped before a catch-up scan occurs. @@ -127,12 +127,12 @@ This feature can be enabled for both full and quick scans. 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Scan** and configure the following settings: 1. If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. 2. If you have set up scheduled full scans, double-click the **Turn on catch-up full scan** setting and set the option to **Enabled**. Click **OK**. 3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**. - 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). Click **OK**. + 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic). Click **OK**. > [!NOTE] > The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run. @@ -147,7 +147,7 @@ Set-MpPreference -DisableCatchupQuickScan ``` -See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Use Windows Management Instruction (WMI) to configure catch-up scans @@ -174,9 +174,9 @@ See the following for more information and allowed parameters: ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md similarity index 76% rename from windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index c67fd41aa8..5ba75a3387 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Schedule Windows Defender Antivirus protection updates +title: Schedule Microsoft Defender Antivirus protection updates description: Schedule the day, time, and interval for when protection updates should be downloaded keywords: updates, security baselines, schedule updates search.product: eADQiWindows 10XVcnh @@ -24,7 +24,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus lets you determine when it should look for and download updates. +Microsoft Defender Antivirus lets you determine when it should look for and download updates. You can schedule updates for your endpoints by: @@ -32,7 +32,7 @@ You can schedule updates for your endpoints by: - Specifying the interval to check for protection updates - Specifying the time to check for protection updates -You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information. +You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic for more information. ## Use Configuration Manager to schedule protection updates @@ -51,7 +51,7 @@ You can also randomize the times when each endpoint checks and downloads protect ## Use Group Policy to schedule protection updates > [!IMPORTANT] -> By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. +> By default, Microsoft Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -59,7 +59,7 @@ You can also randomize the times when each endpoint checks and downloads protect 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: 1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. 2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. @@ -76,7 +76,7 @@ Set-MpPreference -SignatureScheduleTime Set-MpPreference -SignatureUpdateInterval ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Use Windows Management Instruction (WMI) to schedule protection updates @@ -94,12 +94,12 @@ See the following for more information and allowed parameters: ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md similarity index 72% rename from windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index a487d96a32..fb6976a1fa 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Manage how and where Windows Defender AV receives updates -description: Manage the fallback order for how Windows Defender Antivirus receives protection updates. +title: Manage how and where Microsoft Defender AV receives updates +description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates. keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -16,7 +16,7 @@ manager: dansimp ms.custom: nextgen --- -# Manage the sources for Windows Defender Antivirus protection updates +# Manage the sources for Microsoft Defender Antivirus protection updates **Applies to:** @@ -25,11 +25,11 @@ ms.custom: nextgen -Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Windows Defender Antivirus: +Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Microsoft Defender Antivirus: - *Where* the updates are downloaded from; and - *When* updates are downloaded and applied. -This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). +This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). > [!IMPORTANT] > Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). @@ -53,13 +53,13 @@ There are five locations where you can specify where an endpoint should obtain u - [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) - [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview) -- [Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.) +- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.) To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads. > [!IMPORTANT] > If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). -> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).

        +> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).

        > Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table: @@ -68,9 +68,9 @@ Each source has typical scenarios that depend on how your network is configured, |---|---| |Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.| |Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.| -|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| +|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| |Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.| -|Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
        Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| +|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
        Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI. @@ -104,8 +104,8 @@ The procedures in this article first describe how to set the order, and then how 6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting. > [!NOTE] -> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Windows Defender Antivirus > Signature Updates** -> For Windows 10, version 1903, the policy path is **Windows Components > Windows Defender Antivirus > Security Intelligence Updates** +> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Microsoft Defender Antivirus > Signature Updates** +> For Windows 10, version 1903, the policy path is **Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates** ## Use Configuration Manager to manage the update location @@ -123,7 +123,7 @@ Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\ See the following articles for more information: - [Set-MpPreference -SignatureFallbackOrder](https://docs.microsoft.com/powershell/module/defender/set-mppreference) - [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources) -- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) +- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) ## Use Windows Management Instruction (WMI) to manage the update location @@ -144,19 +144,19 @@ See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft. ## What if we're using a third-party vendor? -This article describes how to configure and manage updates for Windows Defender Antivirus. However, third-party vendors can be used to perform these tasks. +This article describes how to configure and manage updates for Microsoft Defender Antivirus. However, third-party vendors can be used to perform these tasks. -For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Windows Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to deploy patches and updates. +For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Microsoft Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) to deploy patches and updates. > [!NOTE] -> Microsoft does not test third-party solutions for managing Windows Defender Antivirus. +> Microsoft does not test third-party solutions for managing Microsoft Defender Antivirus. ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..f619b37fca --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -0,0 +1,233 @@ +--- +title: Manage Microsoft Defender Antivirus updates and apply baselines +description: Manage how Microsoft Defender Antivirus receives protection and product updates. +keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.reviewer: +manager: dansimp +--- + +# Manage Microsoft Defender Antivirus updates and apply baselines + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +There are two types of updates related to keeping Microsoft Defender Antivirus up to date: + + - Security intelligence updates + - Product updates + +> [!IMPORTANT] +> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. +> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). + +## Security intelligence updates + +Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. + +The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. + +Engine updates are included with the security intelligence updates and are released on a monthly cadence. + +## Product updates + +Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. + +You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). + +> [!NOTE] +> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server. + +## Monthly platform and engine versions + +For information how to update or how to install the platform update, please see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). + +All our updates contain: +* performance improvements +* serviceability improvements +* integration improvements (Cloud, MTP) +
        +

        + May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2) + + Security intelligence update version: **1.317.20.0** + Released: **May 26, 2020** + Platform: **4.18.2005.4** + Engine: **1.1.17100.2** + Support phase: **Security and Critical Updates** + +### What's new +* Improved logging for scan events +* Improved user mode crash handling. +* Added event tracing for Tamper protection +* Fixed AMSI Sample submission +* Fixed AMSI Cloud blocking +* Fixed Security update install log + +### Known Issues +No known issues +
        +
        + +
        + April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2) + + Security intelligence update version: **1.315.12.0** + Released: **April 30, 2020** + Platform: **4.18.2004.6** + Engine: **1.1.17000.2** + Support phase: **Security and Critical Updates** + +### What's new +* WDfilter improvements +* Add more actionable event data to ASR detection events +* Fixed version information in diagnostic data and WMI +* Fixed incorrect platform version in UI after platform update +* Dynamic URL intel for Fileless threat protection +* UEFI scan capability +* Extend logging for updates + +### Known Issues +No known issues +
        +
        + +
        + March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2) + + Security intelligence update version: **1.313.8.0** + Released: **March 24, 2020** + Platform: **4.18.2003.8** + Engine: **1.1.16900.4** + Support phase: **Technical upgrade Support (Only)** + +### What's new + +* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) +* Improve diagnostic capability +* reduce Security intelligence timeout (5min) +* Extend AMSI engine internal log capability +* Improve notification for process blocking + +### Known Issues +[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan. + +
        +
        + +
        + + February-2020 (Platform: - | Engine: 1.1.16800.2) + + + Security intelligence update version: **1.311.4.0** + Released: **February 25, 2020** + Platform/Client: **-** + Engine: **1.1.16800.2** + Support phase: **N/A** + +### What's new + + +### Known Issues +No known issues +
        +
        + +
        + January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2) + + +Security intelligence update version: **1.309.32.0** +Released: **January 30, 2020** +Platform/Client: **4.18.2001.10** +Engine: **1.1.16700.2** +Support phase: **Technical upgrade Support (Only)** + +### What's new + +* Fixed BSOD on WS2016 with Exchange +* Support platform updates when TMP is redirected to network path +* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) +* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) +* Fix 4.18.1911.10 hang + +### Known Issues +[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform. +
        +> [!IMPORTANT] +> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
        This update has reboot flag for systems that are experiencing the hang issue.
        the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. +
        +
        + +
        + November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7) + +Security intelligence update version: **1.307.13.0** +Released: **December 7, 2019** +Platform: **4.18.1911.2** +Engine: **1.1.17000.7** +Support phase: **No support** + +### What's new + +* Fixed MpCmdRun tracing level +* Fixed WDFilter version info +* Improve notifications (PUA) +* add MRT logs to support files + +### Known Issues +No known issues +
        +
        + +## Microsoft Defender Antivirus platform support +As stated above, platform and engine updates are provided on a monthly cadence. +Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version: + + +* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. + + +* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* + +\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version. + +During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*). + +### Platform version included with Windows 10 releases +The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases: + +|Windows 10 release |Platform version |Engine version |Support phase | +|-|-|-|-| +|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) | +|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) | +|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) | +|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) | +|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) | +|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | +|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | + +Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). + + +## In this section + +Article | Description +---|--- +[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. +[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. +[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on. +[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. +[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md similarity index 76% rename from windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index 94b9e04752..fb9cbcf454 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Define how mobile devices are updated by Windows Defender AV -description: Manage how mobile devices, such as laptops, should be updated with Windows Defender AV protection updates. +title: Define how mobile devices are updated by Microsoft Defender AV +description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates. keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -31,13 +31,13 @@ There are two settings that are particularly useful for these devices: - Prevent Security intelligence updates when running on battery power The following topics may also be useful in these situations: -- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md) +- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md) ## Opt-in to Microsoft Update on mobile computers without a WSUS connection -You can use Microsoft Update to keep Security intelligence on mobile devices running Windows Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. +You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update. @@ -55,7 +55,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. +5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. 6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. @@ -73,7 +73,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following ## Prevent Security intelligence updates when running on battery power -You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source. +You can configure Microsoft Defender Antivirus to only download protection updates when the PC is connected to a wired power source. ### Use Group Policy to prevent security intelligence updates on battery power @@ -83,7 +83,7 @@ You can configure Windows Defender Antivirus to only download protection updates 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting: 1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. @@ -91,5 +91,5 @@ You can configure Windows Defender Antivirus to only download protection updates ## Related articles -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Update and manage Microsoft Defender Antivirus in Windows 10](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md new file mode 100644 index 0000000000..2cb802f3b8 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -0,0 +1,98 @@ +--- +title: Microsoft Defender Antivirus compatibility with other security products +description: Microsoft Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using. +keywords: windows defender, atp, advanced threat protection, compatibility, passive mode +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.reviewer: +manager: dansimp +--- + +# Microsoft Defender Antivirus compatibility + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview + +Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. +- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. +- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) +- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. + +## Antivirus and Microsoft Defender ATP + +The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. + + +| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Microsoft Defender Antivirus state | +|------|------|-------|-------| +| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | +| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows 10 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | +| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | +| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode | + +(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. + +If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: +- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` +- Name: ForceDefenderPassiveMode +- Value: 1 + +See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. + +> [!IMPORTANT] +> Microsoft Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. +> +> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. +> +> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). + +## Functionality and features available in each state + +The following table summarizes the functionality and features that are available in each state: + +|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | +|--|--|--|--|--|--| +|Active mode

        |Yes |No |Yes |Yes |Yes | +|Passive mode |No |No |Yes |No |Yes | +|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | +|Automatic disabled mode |No |Yes |No |No |No | + +- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). +- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. +- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. + +## Keep the following points in mind + +If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. + +When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. + +In passive and automatic disabled mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. + +If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode. + +> [!WARNING] +> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). + + +## Related topics + +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) +- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md new file mode 100644 index 0000000000..4be2a05301 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md @@ -0,0 +1,59 @@ +--- +title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 +description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 +keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.date: 02/25/2020 +ms.reviewer: +manager: dansimp +ms.custom: nextgen +--- + +# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Microsoft Defender Antivirus: Your next-generation protection + +Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: + +- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. +- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. +- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date. + +## Try a demo! + +Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: +- Cloud-delivered protection +- Block at first sight (BAFS) protection +- Potentially unwanted applications (PUA) protection + +## Minimum system requirements + +Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see: + +- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) +- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) + +## Configure next-generation protection services + +For information on how to configure next-generation protection services, see [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md). + +> [!Note] +> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md). + +## Related articles + +- [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md) + +- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md similarity index 59% rename from windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md rename to windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 6ff0b08f83..2108fffbab 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Antivirus on Windows Server 2016 and 2019 -description: Enable and configure Windows Defender AV on Windows Server 2016 and 2019 +title: Microsoft Defender Antivirus on Windows Server 2016 and 2019 +description: Enable and configure Microsoft Defender AV on Windows Server 2016 and 2019 keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -16,28 +16,28 @@ ms.reviewer: manager: dansimp --- -# Windows Defender Antivirus on Windows Server 2016 and 2019 +# Microsoft Defender Antivirus on Windows Server 2016 and 2019 **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Windows Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. +Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. -While the functionality, configuration, and management are largely the same for Windows Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: +While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: -- In Windows Server, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. -- In Windows Server, Windows Defender Antivirus does not automatically disable itself if you are running another antivirus product. +- In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role. +- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product. ## The process at a glance -The process of setting up and running Windows Defender Antivirus on a server platform includes several steps: +The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps: 1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019) -2. [Install Windows Defender Antivirus](#install-windows-defender-antivirus-on-windows-server-2016-or-2019) +2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019) -2. [Verify Windows Defender Antivirus is running](#verify-windows-defender-antivirus-is-running) +2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running) 3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence) @@ -45,11 +45,11 @@ The process of setting up and running Windows Defender Antivirus on a server pla 5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) -6. (Only if necessary) [Uninstall Windows Defender Antivirus](#need-to-uninstall-windows-defender-antivirus) +6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus) ## Enable the user interface on Windows Server 2016 or 2019 -By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Windows Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell. +By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell. ### Turn on the GUI using the Add Roles and Features Wizard @@ -61,9 +61,7 @@ In Windows Server 2016, the **Add Roles and Features Wizard** looks like this: ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) -In Windows Server 2019, the **Add Roles and Feature Wizard** looks like this: - -![Add roles and features wizard Windows Server 2019](images/WDAV-WinSvr2019-turnfeatureson.jpg) +In Windows Server 2019, the **Add Roles and Feature Wizard** looks much the same. ### Turn on the GUI using PowerShell @@ -73,30 +71,30 @@ The following PowerShell cmdlet will enable the interface: Install-WindowsFeature -Name Windows-Defender-GUI ``` -## Install Windows Defender Antivirus on Windows Server 2016 or 2019 +## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019 -You can use either the **Add Roles and Features Wizard** or PowerShell to install Windows Defender Antivirus. +You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus. ### Use the Add Roles and Features Wizard 1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. -2. When you get to the **Features** step of the wizard, select the Windows Defender Antivirus option. Also select the **GUI for Windows Defender** option. +2. When you get to the **Features** step of the wizard, select the Microsoft Defender Antivirus option. Also select the **GUI for Windows Defender** option. ### Use PowerShell -To use PowerShell to install Windows Defender Antivirus, run the following cmdlet: +To use PowerShell to install Microsoft Defender Antivirus, run the following cmdlet: ```PowerShell Install-WindowsFeature -Name Windows-Defender ``` -Event messages for the antimalware engine included with Windows Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md). +Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Microsoft Defender AV Events](troubleshoot-microsoft-defender-antivirus.md). -## Verify Windows Defender Antivirus is running +## Verify Microsoft Defender Antivirus is running -To verify that Windows Defender Antivirus is running on your server, run the following PowerShell cmdlet: +To verify that Microsoft Defender Antivirus is running on your server, run the following PowerShell cmdlet: ```PowerShell Get-Service -Name windefend @@ -108,17 +106,17 @@ To verify that firewall protection is turned on, run the following PowerShell cm Get-Service -Name mpssvc ``` -As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender Antivirus is running. To do that, run the following command from a command prompt: +As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt: -```DOS +```console sc query Windefend ``` -The `sc query` command returns information about the Windows Defender Antivirus service. When Windows Defender Antivirus is running, the `STATE` value displays `RUNNING`. +The `sc query` command returns information about the Microsoft Defender Antivirus service. When Microsoft Defender Antivirus is running, the `STATE` value displays `RUNNING`. ## Update antimalware Security intelligence -In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage. +In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods: @@ -135,11 +133,11 @@ To ensure that protection from malware is maintained, we recommend that you enab - Windows Update service -The following table lists the services for Windows Defender Antivirus and the dependent services. +The following table lists the services for Microsoft Defender Antivirus and the dependent services. |Service Name|File Location|Description| |--------|---------|--------| -|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Windows Defender Antivirus service that needs to be running at all times.| +|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Microsoft Defender Antivirus service that needs to be running at all times.| |Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.| |Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.| |Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates| @@ -161,28 +159,28 @@ To enable automatic sample submission, start a Windows PowerShell console as an |Setting |Description | |---------|---------| -|**0** Always prompt |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | -|**1** Send safe samples automatically |The Windows Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | -|**2** Never send |The Windows Defender Antivirus service does not prompt and does not send any files. | -|**3** Send all samples automatically |The Windows Defender Antivirus service sends all files without a prompt for confirmation. | +|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | +|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | +|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. | +|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | ## Configure automatic exclusions -To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender Antivirus on Windows Server 2016 or 2019. +To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019. -See [Configure exclusions in Windows Defender Antivirus on Windows Server](configure-server-exclusions-windows-defender-antivirus.md). +See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md). -## Need to uninstall Windows Defender Antivirus? +## Need to uninstall Microsoft Defender Antivirus? -If you are using a third-party antivirus solution and you're running into issues with that solution and Windows Defender Antivirus, you can consider uninstalling Windows Defender Antivirus. Before you do that, review the following resources: +If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources: - See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products). -- See [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection. +- See [Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection. -If you determine you do want to uninstall Windows Defender Antivirus, follow the steps in the following sections. +If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections. -### Uninstall Windows Defender Antivirus using the Remove Roles and Features wizard +### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard 1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. @@ -190,14 +188,14 @@ If you determine you do want to uninstall Windows Defender Antivirus, follow the If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. - Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. + Microsoft Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. -### Uninstall Windows Defender Antivirus using PowerShell +### Uninstall Microsoft Defender Antivirus using PowerShell >[!NOTE] >You can't uninstall the Windows Security app, but you can disable the interface with these instructions. -The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016 or 2019: +The following PowerShell cmdlet will also uninstall Microsoft Defender AV on Windows Server 2016 or 2019: ```PowerShell Uninstall-WindowsFeature -Name Windows-Defender @@ -205,7 +203,7 @@ Uninstall-WindowsFeature -Name Windows-Defender ### Turn off the GUI using PowerShell -To turn off the Windows Defender Antivirus GUI, use the following PowerShell cmdlet: +To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet: ```PowerShell Uninstall-WindowsFeature -Name Windows-Defender-GUI @@ -214,8 +212,8 @@ Uninstall-WindowsFeature -Name Windows-Defender-GUI ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Microsoft Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md new file mode 100644 index 0000000000..0a396c5667 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md @@ -0,0 +1,137 @@ +--- +title: Microsoft Defender Offline in Windows 10 +description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network. +keywords: scan, defender, offline +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.reviewer: +manager: dansimp +--- + +# Run and review the results of a Microsoft Defender Offline scan + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). + +You can use Microsoft Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak. + +In Windows 10, Microsoft Defender Offline can be run with one click directly from the [Windows Security app](microsoft-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Microsoft Defender Offline to bootable media, restart the endpoint, and load the bootable media. + +## prerequisites and requirements + +Microsoft Defender Offline in Windows 10 has the same hardware requirements as Windows 10. + +For more information about Windows 10 requirements, see the following topics: + +- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) + +- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx) + +> [!NOTE] +> Microsoft Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units. + +To run Microsoft Defender Offline from the endpoint, the user must be logged in with administrator privileges. + +## Microsoft Defender Offline updates + +Microsoft Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated. + +> [!NOTE] +> Before running an offline scan, you should attempt to update Microsoft Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). + +See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information. + +## Usage scenarios + +In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint. + +The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints. + +The prompt can occur via a notification, similar to the following: + +![Windows notification showing the requirement to run Microsoft Defender Offline](images/defender/notification.png) + +The user will also be notified within the Windows Defender client. + +In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. + +Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. + +![Microsoft Endpoint Configuration Manager indicating a Microsoft Defender Offline scan is required](images/defender/sccm-wdo.png) + +## Configure notifications + + +Microsoft Defender Offline notifications are configured in the same policy setting as other Microsoft Defender AV notifications. + +For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) topic. + +## Run a scan + +> [!IMPORTANT] +> Before you use Microsoft Defender Offline, make sure you save any files and shut down running programs. The Microsoft Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. + +You can run a Microsoft Defender Offline scan with the following: + +- PowerShell +- Windows Management Instrumentation (WMI) +- The Windows Security app + + + +### Use PowerShell cmdlets to run an offline scan + +Use the following cmdlets: + +```PowerShell +Start-MpWDOScan +``` + +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. + +### Use Windows Management Instruction (WMI) to run an offline scan + +Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan. + +The following WMI script snippet will immediately run a Microsoft Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. + +```console +wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start +``` + +See the following for more information: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) + + +### Use the Windows Defender Security app to run an offline scan + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label: + +3. Select **Microsoft Defender Offline scan** and click **Scan now**. + + > [!NOTE] + > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client. + + +## Review scan results + +Microsoft Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). + + +## Related articles + +- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md similarity index 76% rename from windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md index 75d23d70dd..c2d53844a7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Antivirus in the Windows Security app -description: Windows Defender AV is now included in the Windows Security app. +title: Microsoft Defender Antivirus in the Windows Security app +description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks. keywords: wdav, antivirus, firewall, security, windows search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -16,7 +16,7 @@ ms.reviewer: manager: dansimp --- -# Windows Defender Antivirus in the Windows Security app +# Microsoft Defender Antivirus in the Windows Security app **Applies to:** @@ -27,8 +27,8 @@ In Windows 10, version 1703 and later, the Windows Defender app is part of the W Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703. > [!IMPORTANT] -> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
        If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. ->It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. +> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
        If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. +>It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. >This will significantly lower the protection of your device and could lead to malware infection. @@ -52,22 +52,22 @@ The following diagrams compare the location of settings and functions between th ![Version of Windows Defender in Windows 10 before version 1703](images/defender/wdav-windows-defender-app-old.png) -![Windows Defender Antivirus in Windows 10, version 1703 and later](images/defender/wdav-wdsc.png) +![Microsoft Defender Antivirus in Windows 10, version 1703 and later](images/defender/wdav-wdsc.png) Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description ---|---|---|--- 1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission -4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan +4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Offline scan 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option ## Common tasks -This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app. +This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Microsoft Defender Antivirus in the Windows Security app. > [!NOTE] -> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured. +> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) topic describes how local policy override settings can be configured. @@ -96,7 +96,7 @@ This section describes how to perform some of the most common tasks when reviewi 4. Click **Check for updates** to download new protection updates (if there are any). -### Ensure Windows Defender Antivirus is enabled in the Windows Security app +### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -108,12 +108,12 @@ This section describes how to perform some of the most common tasks when reviewi >[!NOTE] >If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. - >If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). + >If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). -### Add exclusions for Windows Defender Antivirus in the Windows Security app +### Add exclusions for Microsoft Defender Antivirus in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -130,14 +130,14 @@ The following table summarizes exclusion types and what happens: |Exclusion type |Defined by |What happens | |---------|---------|---------| -|**File** |Location
        Example: `c:\sample\sample.test` |The specific file is skipped by Windows Defender Antivirus. | -|**Folder** |Location
        Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. | -|**File type** |File extension
        Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Windows Defender Antivirus. | -|**Process** |Executable file path
        Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Windows Defender Antivirus. | +|**File** |Location
        Example: `c:\sample\sample.test` |The specific file is skipped by Microsoft Defender Antivirus. | +|**Folder** |Location
        Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. | +|**File type** |File extension
        Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. | +|**Process** |Executable file path
        Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | To learn more, see: -- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus) -- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus) +- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) +- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) ### Review threat detection history in the Windows Defender Security Center app @@ -167,6 +167,6 @@ To learn more, see: ## Related articles -- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md similarity index 75% rename from windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md index 77a5c15cf1..58f370b7dd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: "Better together - Windows Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats" -description: "Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more." +title: "Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats" +description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more." keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -19,22 +19,22 @@ ms.reviewer: manager: dansimp --- -# Better together: Windows Defender Antivirus and Office 365 +# Better together: Microsoft Defender Antivirus and Office 365 **Applies to:** -- Windows Defender Antivirus +- Microsoft Defender Antivirus - Office 365 You might already know that: -- **Windows Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Windows Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Windows Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +- **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). - **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats). - **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing). -**But did you know there are good security reasons to use Windows Defender Antivirus together with Office 365**? Here are two: +**But did you know there are good security reasons to use Microsoft Defender Antivirus together with Office 365**? Here are two: 1. [You get ransomware protection and recovery](#ransomware-protection-and-recovery). @@ -44,11 +44,11 @@ Read the following sections to learn more. ## Ransomware protection and recovery -When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur: +When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur: 1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.) -2. **Windows Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.) +2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.) 3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f). diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md similarity index 86% rename from windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md rename to windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 52966241d0..3d058b3d8f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -25,9 +25,9 @@ ms.custom: nextgen ## Overview -During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring. +During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring. -With tamper protection, malicious apps are prevented from taking actions like these: +With tamper protection, malicious apps are prevented from taking actions such as: - Disabling virus and threat protection - Disabling real-time protection - Turning off behavior monitoring @@ -37,11 +37,10 @@ With tamper protection, malicious apps are prevented from taking actions like th ### How it works - Tamper protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these: + Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as: - Configuring settings in Registry Editor on your Windows machine - Changing settings through PowerShell cmdlets - Editing or removing security settings through group policies -- and so on. Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team. @@ -60,7 +59,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And, ## Turn tamper protection on (or off) for an individual machine > [!NOTE] -> Tamper protection blocks attempts to modify Windows Defender Antivirus settings through the registry. +> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry. > > To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).) > @@ -74,28 +73,28 @@ If you are a home user, or you are not subject to settings managed by a security 3. Set **Tamper Protection** to **On** or **Off**. -Here's what you see in the Windows Security app: + Here's what you see in the Windows Security app: -![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png) + ![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png) ## Turn tamper protection on (or off) for your organization using Intune -If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)). +If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)). > [!NOTE] -> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below. +> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below. -You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. +You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. 1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune: - - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)). + - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)). - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.) - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). - - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).) + - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).) -2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account. +2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account. 3. Select **Device configuration** > **Profiles**. @@ -113,10 +112,6 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal- 5. Assign the profile to one or more groups. -Here's what you see in the Windows Security app: - -![Turning tamper protection on in Windows 10 Enterprise](images/turnontamperprotect-enterprise.png) - ### Are you using Windows OS 1709, 1803, or 1809? If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled. @@ -131,17 +126,17 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release ## View information about tampering attempts -Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats. +Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats. -When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)). +When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)). ![Microsoft Defender Security Center](images/tamperattemptalert.png) -Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts. +Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts. ## Review your security recommendations -Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image: +Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image: ![Tamper protection results in security recommendations](../images/securityrecs-tamperprotect.jpg) @@ -165,7 +160,7 @@ No No. Third-party antivirus offerings will continue to register with the Windows Security application. -### What happens if Windows Defender Antivirus is not active on a device? +### What happens if Microsoft Defender Antivirus is not active on a device? Tamper protection will not have any impact on such devices. @@ -175,18 +170,18 @@ If you are a home user, see [Turn tamper protection on (or off) for an individua If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). -### How does configuring tamper protection in Intune affect how I manage Windows Defender Antivirus through my group policy? +### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy? -Your regular group policy doesn’t apply to tamper protection, and changes to Windows Defender Antivirus settings are ignored when tamper protection is on. +Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on. >[!NOTE] ->A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Windows Defender Antivirus settings.

        -> Sample Windows Defender Antivirus settings:
        -> Turn off Windows Defender Antivirus
        +>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings.

        +> Sample Microsoft Defender Antivirus settings:
        +> Turn off Microsoft Defender Antivirus
        > Computer Configuration\Administrative Templates\Windows Components\Windows Defender\ Value DisableAntiSpyware = 0

        >Turn off real-time protection
        -Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Real-time Protection\ +Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\ Value DisableRealtimeMonitoring = 0 ### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only? @@ -216,7 +211,7 @@ In this case, tamper protection status changes, and this feature is no longer ap ### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center? -Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. +Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. In addition, your security operations team can use hunting queries, such as the following: @@ -234,4 +229,4 @@ No. [Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-antivirus.md) +[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md similarity index 65% rename from windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md index 8f6ebb3c64..18c0fdfc15 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Hide the Windows Defender Antivirus interface +title: Hide the Microsoft Defender Antivirus interface description: You can hide virus and threat protection tile in the Windows Security app. keywords: ui lockdown, headless mode, hide app, hide settings, hide interface search.product: eADQiWindows 10XVcnh @@ -17,17 +17,17 @@ ms.reviewer: manager: dansimp --- -# Prevent users from seeing or interacting with the Windows Defender Antivirus user interface +# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans. +You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans. -## Hide the Windows Defender Antivirus interface +## Hide the Microsoft Defender Antivirus interface -In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app. +In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app. With the setting set to **Enabled**: @@ -38,13 +38,13 @@ With the setting set to **Disabled** or not configured: ![Screenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) >[!NOTE] ->Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +>Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app." ![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703](images/defender/wdav-headless-mode-1607.png) -## Use Group Policy to hide the Windows Defender AV interface from users +## Use Group Policy to hide the Microsoft Defender AV interface from users 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. @@ -52,11 +52,11 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl 3. Click **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**. 5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. -See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs. +See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs. ## Prevent users from pausing a scan @@ -70,14 +70,14 @@ You can prevent users from pausing scans, which can be helpful to ensure schedul 3. Click **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. 5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. ## Related articles -- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) -- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) +- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md similarity index 61% rename from windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md index caea14600c..aa0b387ceb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Monitor and report on Windows Defender Antivirus protection -description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI. -keywords: siem, monitor, report, windows defender av +title: Monitor and report on Microsoft Defender Antivirus protection +description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI. +keywords: siem, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,28 +17,28 @@ ms.reviewer: manager: dansimp --- -# Report on Windows Defender Antivirus +# Report on Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). -Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. +Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings. If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx). -Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md). +Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md). These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server. You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware). -For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2). +For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-microsoft-defender-antivirus.md#ref2). ## Related articles -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..325b0800ee --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md @@ -0,0 +1,43 @@ +--- +title: Restore quarantined files in Microsoft Defender AV +description: You can restore files and folders that were quarantined by Microsoft Defender AV. +keywords: +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 05/20/2020 +ms.reviewer: +manager: dansimp +--- + +# Restore quarantined files in Microsoft Defender AV + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it. + +1. Open **Windows Security**. +2. Select **Virus & threat protection** and then click **Protection history**. +3. In the list of all recent items, filter on **Quarantined Items**. +4. Select an item you want to keep, and take an action, such as restore. + +> [!TIP] +> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine). + +## Related articles + +- [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) +- [Review scan results](review-scan-results-microsoft-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) + diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md similarity index 66% rename from windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md index d0f31c4c8d..1e4a2b7142 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Review the results of Windows Defender AV scans +title: Review the results of Microsoft Defender AV scans description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app keywords: scan results, remediation, full scan, quick scan search.product: eADQiWindows 10XVcnh @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Review Windows Defender Antivirus scan results +# Review Microsoft Defender Antivirus scan results **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. +After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results. ## Use Microsoft Intune to review scan results @@ -56,7 +56,7 @@ Get-MpThreat ![IMAGEALT](images/defender/wdav-get-mpthreat.png) -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Use Windows Management Instruction (WMI) to review scan results @@ -65,5 +65,5 @@ Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**] ## Related articles -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md similarity index 66% rename from windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md index f36197fe0f..a0fc81be46 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Run and customize on-demand scans in Windows Defender AV +title: Run and customize on-demand scans in Microsoft Defender AV description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app keywords: scan, on-demand, dos, intune, instant scan search.product: eADQiWindows 10XVcnh @@ -17,7 +17,7 @@ ms.reviewer: manager: dansimp --- -# Configure and run on-demand Windows Defender Antivirus scans +# Configure and run on-demand Microsoft Defender Antivirus scans **Applies to:** @@ -30,7 +30,7 @@ You can run an on-demand scan on individual endpoints. These scans will start im Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. @@ -50,7 +50,7 @@ Use the following `-scan` parameter: ```DOS mpcmdrun.exe -scan -scantype 1 ``` -See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. +See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. ## Use Microsoft Intune to run a scan @@ -61,7 +61,7 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen ## Use the Windows Security app to run a scan -See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints. +See [Run a scan in the Windows Security app](microsoft-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints. ## Use PowerShell cmdlets to run a scan @@ -70,7 +70,7 @@ Use the following cmdlet: ```PowerShell Start-MpScan ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Use Windows Management Instruction (WMI) to run a scan @@ -82,6 +82,6 @@ See the following for more information and allowed parameters: ## Related articles -- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) -- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) +- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md similarity index 70% rename from windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md index b2b391a114..a155de8626 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Schedule regular quick and full scans with Windows Defender AV +title: Schedule regular quick and full scans with Microsoft Defender AV description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular search.product: eADQiWindows 10XVcnh @@ -17,19 +17,19 @@ ms.reviewer: manager: dansimp --- -# Configure scheduled quick or full Windows Defender Antivirus scans +# Configure scheduled quick or full Microsoft Defender Antivirus scans **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!NOTE] -> By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. +> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default. -In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans. +In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans. -You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. +You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). @@ -41,11 +41,11 @@ To configure the Group Policy settings described in this topic: 4. Click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. 6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. -Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics. +Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics. ## Quick scan versus full scan and custom scan @@ -53,11 +53,11 @@ When you set up scheduled scans, you can set up whether the scan should be a ful Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. -A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md). +A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-microsoft-defender-antivirus.md). A custom scan allows you to specify the files and folders to scan, such as a USB drive. @@ -69,7 +69,7 @@ A custom scan allows you to specify the files and folders to scan, such as a USB Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans. >[!NOTE] ->If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time. +>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time. **Use Group Policy to schedule scans:** @@ -78,7 +78,7 @@ Location | Setting | Description | Default setting (if not configured) Scan | Specify the scan type to use for a scheduled scan | Quick scan Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am -Root | Randomize scheduled task times |In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
        In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled +Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
        In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled **Use PowerShell cmdlets to schedule scans:** @@ -92,7 +92,7 @@ Set-MpPreference -RandomizeScheduleTaskTimes ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. **Use Windows Management Instruction (WMI) to schedule scans:** @@ -127,7 +127,7 @@ Use the following cmdlets: Set-MpPreference -ScanOnlyIfIdleEnabled ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. **Use Windows Management Instruction (WMI):** @@ -163,7 +163,7 @@ Set-MpPreference -RemediationScheduleDay Set-MpPreference -RemediationScheduleTime ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. **Use Windows Management Instruction (WMI):** @@ -200,7 +200,7 @@ Use the following cmdlets: Set-MpPreference -ScanScheduleQuickTime ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. **Use Windows Management Instruction (WMI) to schedule daily scans:** @@ -217,7 +217,7 @@ See the following for more information and allowed parameters: ## Enable scans after protection updates -You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy. +You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy. **Use Group Policy to schedule scans after protection updates** @@ -232,9 +232,9 @@ Signature updates | Turn on scan after Security intelligence update | A scan wil ## Related topics -- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md similarity index 69% rename from windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md index d04a0c0bd5..c6a20d3a13 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Specify cloud-delivered protection level in Windows Defender Antivirus -description: Set the aggressiveness of cloud-delivered protection in Windows Defender Antivirus. -keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level +title: Specify cloud-delivered protection level in Microsoft Defender Antivirus +description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus. +keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -23,24 +23,24 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager. +You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager. >[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. ## Use Intune to specify the level of cloud-delivered protection 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **All services > Intune**. 3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. 5. On the **File Blocking Level** switch, select one of the following: 1. **High**: Applies a strong level of detection. 2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance). 3. **Zero tolerance**: Blocks all unknown executables. -8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) @@ -59,10 +59,10 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht 4. Click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**. +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**. 6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: - - **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files. + - **Default Microsoft Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files. - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives). - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives). - **Zero tolerance blocking level** blocks all unknown executables. @@ -75,8 +75,8 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht ## Related articles -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md similarity index 83% rename from windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md index 8b02e56f61..75665404c2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Windows Defender AV event IDs and error codes -description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors +title: Microsoft Defender AV event IDs and error codes +description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,19 +17,19 @@ ms.reviewer: manager: dansimp --- -# Review event logs and error codes to troubleshoot issues with Windows Defender Antivirus +# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. +If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. The tables list: -- [Windows Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016) -- [Windows Defender Antivirus client error codes](#error-codes) -- [Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes) +- [Microsoft Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016) +- [Microsoft Defender Antivirus client error codes](#error-codes) +- [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes) > [!TIP] > You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: @@ -39,18 +39,18 @@ The tables list: > - Potentially unwanted application blocking -## Windows Defender Antivirus event IDs +## Microsoft Defender Antivirus event IDs -Windows Defender Antivirus records event IDs in the Windows event log. +Microsoft Defender Antivirus records event IDs in the Windows event log. -You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender Antivirus client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints. +You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Microsoft Defender Antivirus client event IDs](troubleshoot-microsoft-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints. -The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error. +The table in this section lists the main Microsoft Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error. -## To view a Windows Defender Antivirus event +## To view a Microsoft Defender Antivirus event 1. Open **Event Viewer**. -2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**. +2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Microsoft Defender Antivirus**. 3. Double-click on **Operational**. 4. In the details pane, view the list of individual events to find your event. 5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs. @@ -324,7 +324,7 @@ Description of the error. User action:         @@ -949,7 +949,7 @@ Message: Description: @@ -1076,7 +1076,7 @@ Message: Description: @@ -1171,7 +1171,7 @@ Message: Description:
        -The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (Windows Defender Antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. +The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (Microsoft Defender Antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. To troubleshoot this event:
        1. Run the scan again.
          2. @@ -432,7 +432,7 @@ Message: Description:
        		-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following: +Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following:
        User: <Domain>\<User>
        Name: <Threat name>
        @@ -484,7 +484,7 @@ Message: Description:
        		-Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following: +Microsoft Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following:
        User: <Domain>\<User>
        Name: <Threat name>
        @@ -543,7 +543,7 @@ Message: Description:
        		-Windows Defender Antivirus has restored an item from quarantine. For more information, see the following: +Microsoft Defender Antivirus has restored an item from quarantine. For more information, see the following:
        Name: <Threat name>
        ID: <Threat ID>
        @@ -587,7 +587,7 @@ Message: Description:
        		-Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following: +Microsoft Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following:
        Name: <Threat name>
        ID: <Threat ID>
        @@ -634,7 +634,7 @@ Message: Description:
        		-Windows Defender Antivirus has deleted an item from quarantine.
        For more information, see the following: +Microsoft Defender Antivirus has deleted an item from quarantine.
        For more information, see the following:
        Name: <Threat name>
        ID: <Threat ID>
        @@ -677,7 +677,7 @@ Message: Description:
        		-Windows Defender Antivirus has encountered an error trying to delete an item from quarantine. +Microsoft Defender Antivirus has encountered an error trying to delete an item from quarantine. For more information, see the following:
        Name: <Threat name>
        @@ -725,7 +725,7 @@ Message: Description:
        		-Windows Defender Antivirus has removed history of malware and other potentially unwanted software. +Microsoft Defender Antivirus has removed history of malware and other potentially unwanted software.
        Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
        User: <Domain>\<User>
        @@ -756,7 +756,7 @@ The antimalware platform could not delete history of malware and other potential Description:
        		-Windows Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software. +Microsoft Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
        Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
        User: <Domain>\<User>
        @@ -791,7 +791,7 @@ Message: Description:
        		-Windows Defender Antivirus has detected a suspicious behavior.
        For more information, see the following: +Microsoft Defender Antivirus has detected a suspicious behavior.
        For more information, see the following:
        Name: <Threat name>
        ID: <Threat ID>
        @@ -868,7 +868,7 @@ Message: Description:
        		-Windows Defender Antivirus has detected malware or other potentially unwanted software.
        For more information, see the following: +Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
        For more information, see the following:
        Name: <Threat name>
        ID: <Threat ID>
        @@ -921,7 +921,7 @@ UAC User action:
        		-No action is required. Windows Defender Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender Antivirus interface, click Clean Computer. +No action is required. Microsoft Defender Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the Microsoft Defender Antivirus interface, click Clean Computer.
        -Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
        For more information, see the following: +Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
        For more information, see the following:
        Name: <Threat name>
        ID: <Threat ID>
        @@ -1010,7 +1010,7 @@ Description of the error.
        Signature Version: <Definition version>
        Engine Version: <Antimalware Engine version>
        NOTE: -Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
          +Whenever Microsoft Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
          • Default Internet Explorer or Microsoft Edge setting
          • User Access Control settings
          • Chrome settings
            • @@ -1049,7 +1049,7 @@ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Se User action:
        		-No action is necessary. Windows Defender Antivirus removed or quarantined a threat. +No action is necessary. Microsoft Defender Antivirus removed or quarantined a threat.
        -Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
        For more information, see the following: +Microsoft Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
        For more information, see the following:
        Name: <Threat name>
        ID: <Threat ID>
        @@ -1144,7 +1144,7 @@ Description of the error. User action:
        		-No action is necessary. Windows Defender Antivirus failed to complete a task related to the malware remediation. This is not a critical failure. +No action is necessary. Microsoft Defender Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.
        -Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
        For more information, see the following: +Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
        For more information, see the following:
        Name: <Threat name>
        ID: <Threat ID>
        @@ -1239,7 +1239,7 @@ Description of the error. User action:
        		-The Windows Defender Antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below. +The Microsoft Defender Antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below. @@ -1302,7 +1302,7 @@ Symbolic name: Message: @@ -1310,7 +1310,7 @@ Message: Description: @@ -1467,7 +1467,7 @@ Antivirus signature version has been updated. User action: @@ -1494,7 +1494,7 @@ Message: Description: @@ -1613,7 +1613,7 @@ Message: Description: @@ -1935,7 +1935,7 @@ Message: Description: @@ -2114,7 +2114,7 @@ Message: Description: @@ -2141,7 +2141,7 @@ Message: Description: @@ -2203,7 +2203,7 @@ Message: Description: @@ -2231,7 +2231,7 @@ Message: Description: @@ -2258,7 +2258,7 @@ Message: Description: @@ -2282,7 +2282,7 @@ User action: @@ -2310,7 +2310,7 @@ Message: Description: @@ -2357,7 +2357,7 @@ Message: Description: @@ -2384,7 +2384,7 @@ Message: Description: @@ -2412,7 +2412,7 @@ Message: Description: @@ -2575,7 +2575,7 @@ Message: Description: @@ -2601,7 +2601,7 @@ Message: Description: @@ -2629,7 +2629,7 @@ Message: Description: @@ -2657,10 +2657,10 @@ Message: Description: @@ -2689,7 +2689,7 @@ Message: Description:
        Action -Windows Defender Antivirus has deduced the hashes for a threat resource. +Microsoft Defender Antivirus has deduced the hashes for a threat resource.
        -Windows Defender Antivirus client is up and running in a healthy state. +Microsoft Defender Antivirus client is up and running in a healthy state.
        Current Platform Version: <Current platform version>
        Threat Resource Path: <Path>
        @@ -1349,7 +1349,7 @@ Message: Description:
        		-Windows Defender Antivirus client is up and running in a healthy state. +Microsoft Defender Antivirus client is up and running in a healthy state.
        Platform Version: <Current platform version>
        Signature Version: <Definition version>
        @@ -1362,7 +1362,7 @@ Windows Defender Antivirus client is up and running in a healthy state. User action:
        		-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
        -No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated.
        -Windows Defender Antivirus has encountered an error trying to update signatures. +Microsoft Defender Antivirus has encountered an error trying to update signatures.
        New security intelligence version: <New version number>
        Previous security intelligence version: <Previous version>
        @@ -1541,7 +1541,7 @@ User action: This error occurs when there is a problem updating definitions. To troubleshoot this event:
          -
        1. Update definitions and force a rescan directly on the endpoint.
          2. +
        2. Update definitions and force a rescan directly on the endpoint.
        3. Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.
        4. Contact Microsoft Technical Support.
          5. @@ -1572,7 +1572,7 @@ Message: Description:
        		-Windows Defender Antivirus engine version has been updated. +Microsoft Defender Antivirus engine version has been updated.
        Current Engine Version: <Current engine version>
        Previous Engine Version: <Previous engine version>
        @@ -1586,7 +1586,7 @@ Windows Defender Antivirus engine version has been updated. User action:
        		-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
        -Windows Defender Antivirus has encountered an error trying to update the engine. +Microsoft Defender Antivirus has encountered an error trying to update the engine.
        New Engine Version:
        Previous Engine Version: <Previous engine version>
        @@ -1631,10 +1631,10 @@ Description of the error. User action:
        		-The Windows Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update. +The Microsoft Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update. To troubleshoot this event:
          -
        1. Update definitions and force a rescan directly on the endpoint.
          2. +
        2. Update definitions and force a rescan directly on the endpoint.
        3. Contact Microsoft Technical Support.
        @@ -1663,7 +1663,7 @@ Message: Description:         		-Windows Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. +Microsoft Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
        Signatures Attempted:
        Error Code: <Error code> @@ -1680,7 +1680,7 @@ Description of the error.
        User action:
        		-The Windows Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender Antivirus will attempt to revert back to a known-good set of definitions. +The Microsoft Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Microsoft Defender Antivirus will attempt to revert back to a known-good set of definitions. To troubleshoot this event:
        1. Restart the computer and try again.
          2. @@ -1715,7 +1715,7 @@ Message: Description:
        		-Windows Defender Antivirus could not load antimalware engine because current platform version is not supported. Windows Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted. +Microsoft Defender Antivirus could not load antimalware engine because current platform version is not supported. Microsoft Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
        Current Platform Version: <Current platform version>
        @@ -1746,7 +1746,7 @@ Message: Description:         		-Windows Defender Antivirus has encountered an error trying to update the platform. +Microsoft Defender Antivirus has encountered an error trying to update the platform.
        Current Platform Version: <Current platform version>
        Error Code: <Error code> @@ -1779,7 +1779,7 @@ Message: Description:
        		-Windows Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender Antivirus platform to maintain the best level of protection available. +Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available.
        Current Platform Version: <Current platform version>
        @@ -1810,7 +1810,7 @@ Message: Description:         		-Windows Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine. +Microsoft Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
        Current Signature Version: <Current signature version>
        Signature Type: <Signature type>, for example:
          @@ -1868,7 +1868,7 @@ Message: Description:
        		-Windows Defender Antivirus used Dynamic Signature Service to discard obsolete signatures. +Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
        Current Signature Version: <Current signature version>
        Signature Type: <Signature type>, for example:
          @@ -1907,7 +1907,7 @@ Windows Defender Antivirus used Dynamic Signature Service to discard obso User action:
        		-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
        -Windows Defender Antivirus has encountered an error trying to use Dynamic Signature Service. +Microsoft Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
        Current Signature Version: <Current signature version>
        Signature Type: <Signature type>, for example:
          @@ -2005,7 +2005,7 @@ Message: Description:
        		-Windows Defender Antivirus discarded all Dynamic Signature Service signatures. +Microsoft Defender Antivirus discarded all Dynamic Signature Service signatures.
        Current Signature Version: <Current signature version>
        @@ -2036,7 +2036,7 @@ Message: Description:         		-Windows Defender Antivirus downloaded a clean file. +Microsoft Defender Antivirus downloaded a clean file.
        Filename: <File name> Name of the file.
        @@ -2069,7 +2069,7 @@ Message: Description:
        		-Windows Defender Antivirus has encountered an error trying to download a clean file. +Microsoft Defender Antivirus has encountered an error trying to download a clean file.
        Filename: <File name> Name of the file.
        @@ -2088,7 +2088,7 @@ User action:
        		Check your Internet connectivity settings. -The Windows Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. +The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
        -Windows Defender Antivirus downloaded and configured offline antivirus to run on the next reboot. +Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.
        -Windows Defender Antivirus has encountered an error trying to download and configure offline antivirus. +Microsoft Defender Antivirus has encountered an error trying to download and configure offline antivirus.
        Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
        @@ -2175,7 +2175,7 @@ Message: Description:
        		-The support for your operating system will expire shortly. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. +The support for your operating system will expire shortly. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
        -The support for your operating system has expired. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. +The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
        -The support for your operating system has expired. Windows Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. +The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
        -Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed. +Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
        Feature: <Feature>, for example:
          @@ -2272,7 +2272,7 @@ Windows Defender Antivirus Real-Time Protection feature has encountered an error Result code associated with threat status. Standard HRESULT values.
        Error Description: <Error description> Description of the error.
        -
        Reason: The reason Windows Defender Antivirus real-time protection has restarted a feature.
        +
        Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.
        You should restart the system then run a full scan because it's possible the system was not protected for some time. -The Windows Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. +The Microsoft Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
        -Windows Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down. +Microsoft Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
        Feature: <Feature>, for example:
          @@ -2320,7 +2320,7 @@ Windows Defender Antivirus Real-time Protection has restarted a feature. It is r
        • Network Inspection System
        -
        Reason: The reason Windows Defender Antivirus real-time protection has restarted a feature.
        +
        Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.
        -Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled. +Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.
        -Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled. +Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
        -Windows Defender Antivirus real-time protection feature configuration has changed. +Microsoft Defender Antivirus real-time protection feature configuration has changed.
        Feature: <Feature>, for example:
          @@ -2450,7 +2450,7 @@ Message: Description:
        		-Windows Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware. +Microsoft Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
        Old value: <Old value number> Old antivirus configuration value.
        @@ -2482,7 +2482,7 @@ Message: Description:
        		-Windows Defender Antivirus engine has been terminated due to an unexpected error. +Microsoft Defender Antivirus engine has been terminated due to an unexpected error.
        Failure Type: <Failure type>, for example: Crash @@ -2513,7 +2513,7 @@ To troubleshoot this event:
          User action:
        		-The Windows Defender Antivirus client engine stopped due to an unexpected error. +The Microsoft Defender Antivirus client engine stopped due to an unexpected error. To troubleshoot this event:
        1. Run the scan again.
          2. @@ -2548,7 +2548,7 @@ Message: Description:
        		-Windows Defender Antivirus scanning for malware and other potentially unwanted software has been enabled. +Microsoft Defender Antivirus scanning for malware and other potentially unwanted software has been enabled.
        -Windows Defender Antivirus scanning for malware and other potentially unwanted software is disabled. +Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled.
        -Windows Defender Antivirus scanning for viruses has been enabled. +Microsoft Defender Antivirus scanning for viruses has been enabled.
        -Windows Defender Antivirus scanning for viruses is disabled. +Microsoft Defender Antivirus scanning for viruses is disabled.
        -Windows Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software. +Microsoft Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
        -
        Expiration Reason: The reason Windows Defender Antivirus will expire.
        -
        Expiration Date: The date Windows Defender Antivirus will expire.
        +
        Expiration Reason: The reason Microsoft Defender Antivirus will expire.
        +
        Expiration Date: The date Microsoft Defender Antivirus will expire.
        -Windows Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled. +Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
        Expiration Reason:
        Expiration Date:
        @@ -2703,14 +2703,14 @@ Description of the error.
        -## Windows Defender Antivirus client error codes -If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. -This section provides the following information about Windows Defender Antivirus client errors. +## Microsoft Defender Antivirus client error codes +If Microsoft Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. +This section provides the following information about Microsoft Defender Antivirus client errors. - The error code - The possible reason for the error - Advice on what to do now -Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes. +Use the information in these tables to help troubleshoot Microsoft Defender Antivirus error codes. @@ -2753,7 +2753,7 @@ This error indicates that there might be a problem with your security product. @@ -2852,7 +2852,7 @@ Follow the manual remediation steps outlined in the offline Windows Defender Antivirus article. +Run offline Microsoft Defender Antivirus. You can read about how to do this in the offline Microsoft Defender Antivirus article. @@ -2901,16 +2901,16 @@ Run offline Windows Defender Antivirus. You can read about how to do this in the +You can only use Microsoft Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
        Resolution
        1. Update the definitions. Either:
            -
          1. Click the Update definitions button on the Update tab in Windows Defender Antivirus. Update definitions in Windows Defender AntivirusOr, +
          2. Click the Update definitions button on the Update tab in Microsoft Defender Antivirus. Update definitions in Microsoft Defender AntivirusOr,
          3. Download the latest definitions from the Microsoft Security Intelligence site. Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions. @@ -2785,7 +2785,7 @@ data that does not allow the engine to function properly.
        Possible reason -This error indicates that Windows Defender Antivirus failed to quarantine a threat. +This error indicates that Microsoft Defender Antivirus failed to quarantine a threat.
        ERROR_MP_PLATFORM_OUTDATED
        Possible reason -This error indicates that Windows Defender Antivirus does not support the current version of the platform and requires a new version of the platform. +This error indicates that Microsoft Defender Antivirus does not support the current version of the platform and requires a new version of the platform.
        Resolution -You can only use Windows Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
        -The following error codes are used during internal testing of Windows Defender Antivirus. +The following error codes are used during internal testing of Microsoft Defender Antivirus. -If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint. +If you see these errors, you can try to [update definitions](manage-updates-baselines-microsoft-defender-antivirus.md) and force a rescan directly on the endpoint. @@ -3240,5 +3240,5 @@ This is an internal error. It might have triggered when a scan fails to complete ## Related topics -- [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md new file mode 100644 index 0000000000..43310f4b21 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md @@ -0,0 +1,70 @@ +--- +title: Troubleshoot problems with reporting tools for Microsoft Defender AV +description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance +keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.reviewer: +manager: dansimp +--- + +# Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> [!IMPORTANT] +> On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates. + +You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx). + +When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues. + +Typically, the most common indicators of a problem are: +- You only see a small number or subset of all the devices you were expecting to see +- You do not see any devices at all +- The reports and information you do see is outdated (older than a few days) + +For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see [Microsoft Defender Antivirus events](troubleshoot-microsoft-defender-antivirus.md). + +There are three steps to troubleshooting these problems: + +1. Confirm that you have met all prerequisites +2. Check your connectivity to the Windows Defender cloud-based service +3. Submit support logs + +>[!IMPORTANT] +>It typically takes 3 days for devices to start appearing in Update Compliance. + + +## Confirm prerequisites + +In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Microsoft Defender Antivirus: + +>[!div class="checklist"] +>- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](microsoft-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance. +> - [Cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md). +> - Endpoints can [connect to the Microsoft Defender AV cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud) +> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). +> - It has been 3 days since all requirements have been met + +“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" + +If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. + +> [!div class="nextstepaction"] +> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data.md) + +## Related topics + +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md similarity index 53% rename from windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md index 84d8ca6968..266e82be31 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Configure Windows Defender Antivirus with Group Policy -description: Configure Windows Defender Antivirus settings with Group Policy +title: Configure Microsoft Defender Antivirus with Group Policy +description: Configure Microsoft Defender Antivirus settings with Group Policy keywords: group policy, GPO, configuration, settings search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,15 +17,15 @@ ms.reviewer: manager: dansimp --- -# Use Group Policy settings to configure and manage Windows Defender Antivirus +# Use Group Policy settings to configure and manage Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints. +You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints. -In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings: +In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings: 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. @@ -33,7 +33,7 @@ In general, you can use the following procedure to configure or change Windows D 3. Click **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**. 5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes. @@ -43,41 +43,41 @@ The following table in this topic lists the Group Policy settings available in W Location | Setting | Article ---|---|--- -Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) -Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) -MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) -MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) -MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -MpEngine | Configure extended cloud check | [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) -MpEngine | Select cloud protection level | [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) +Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) +Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +Exclusions | Extension Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) +Exclusions | Path Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) +Exclusions | Process Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) +Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) +MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) +MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) +MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) +MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +MpEngine | Configure extended cloud check | [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) +MpEngine | Select cloud protection level | [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md) Network inspection system | Specify additional definition sets for network traffic inspection | Not used Network inspection system | Turn on definition retirement | Not used Network inspection system | Turn on protocol recognition | Not used -Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Monitor file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Scan all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Turn off real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Turn on raw volume write notifications | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) Reporting | Configure Watson events | Not used Reporting | Configure Windows software trace preprocessor components | Not used Reporting | Configure WPP tracing level | Not used @@ -85,66 +85,66 @@ Reporting | Configure time out for detections in critically failed state | Not u Reporting | Configure time out for detections in non-critical failed state | Not used Reporting | Configure time out for detections in recently remediated state | Not used Reporting | Configure time out for detections requiring additional action | Not used -Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly) +Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +Root | Turn off Microsoft Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly) Root | Define addresses to bypass proxy server | Not used Root | Define proxy autoconfig (.pac) for connecting to the network | Not used Root | Define proxy server for connecting to the network | Not used -Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Root | Allow antimalware service to start up with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) -Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) -Root | Turn off routine remediation | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) -Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) -Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Scan | Turn on catch up quick scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Scan | Configure local setting override for maximum percentage of CPU utilization | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Scan | Configure local setting override for schedule scan day | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Scan | Create a system restore point | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) -Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) -Scan | Turn on heuristics | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Scan archive files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Scan network files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Scan packed executables | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Scan removable drives | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md) -Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) -Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) -Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) -Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) +Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Root | Allow antimalware service to start up with normal priority | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) +Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) +Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) +Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) +Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +Scan | Turn on catch up quick scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +Scan | Configure local setting override for maximum percentage of CPU utilization | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Scan | Configure local setting override for schedule scan day | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +Scan | Create a system restore point | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) +Scan | Turn on removal of items from scan history folder | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) +Scan | Turn on heuristics | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Scan | Turn on e-mail scanning | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Turn on reparse point scanning | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Run full scan on mapped network drives | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Scan archive files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Scan network files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Scan packed executables | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Scan removable drives | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) +Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Microsoft Defender Antivirus protection and security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) +Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Microsoft Defender Antivirus protection and security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) +Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) +Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) ## Related articles -- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md similarity index 71% rename from windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md index df5a122dda..37d31d6dc7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Configure Windows Defender Antivirus with Configuration Manager and Intune -description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection +title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune +description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection keywords: scep, intune, endpoint protection, configuration search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,15 +17,15 @@ ms.reviewer: manager: dansimp --- -# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus +# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. +If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Microsoft Defender Antivirus scans. -In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender Antivirus. +In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Microsoft Defender Antivirus. See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. @@ -34,5 +34,5 @@ For Microsoft Intune, consult the [Microsoft Intune library](https://docs.micros ## Related articles -- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md similarity index 79% rename from windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md index 76de6faff6..2ec659113a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Use PowerShell cmdlets to configure and run Windows Defender AV -description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Windows Defender Antivirus. +title: Use PowerShell cmdlets to configure and run Microsoft Defender AV +description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus. keywords: scan, command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,7 +17,7 @@ ms.reviewer: manager: dansimp --- -# Use PowerShell cmdlets to configure and manage Windows Defender Antivirus +# Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus **Applies to:** @@ -30,15 +30,15 @@ For a list of the cmdlets and their functions and available parameters, see the PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. > [!NOTE] -> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Windows Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/100591). +> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/100591). Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. -You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). +You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-microsoft-defender-antivirus.md). PowerShell is typically installed under the folder `%SystemRoot%\system32\WindowsPowerShell`. -## Use Windows Defender Antivirus PowerShell cmdlets +## Use Microsoft Defender Antivirus PowerShell cmdlets 1. In the Windows search bar, type **powershell**. 2. Select **Windows PowerShell** from the results to open the interface. @@ -57,5 +57,5 @@ Omit the `-online` parameter to get locally cached help. ## Related topics -- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md similarity index 63% rename from windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md index bac24170b6..5a54bd4546 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Configure Windows Defender Antivirus with WMI -description: Use WMI scripts to configure Windows Defender AV. +title: Configure Microsoft Defender Antivirus with WMI +description: Use WMI scripts to configure Microsoft Defender AV. keywords: wmi, scripts, windows management instrumentation, configuration search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,7 +17,7 @@ ms.reviewer: manager: dansimp --- -# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender Antivirus +# Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus **Applies to:** @@ -27,15 +27,15 @@ Windows Management Instrumentation (WMI) is a scripting interface that allows yo Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/library/aa394582(v=vs.85).aspx). -Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md). +Microsoft Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md). -The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender Antivirus, and includes example scripts. +The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Microsoft Defender Antivirus, and includes example scripts. Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. -You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). +You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-microsoft-defender-antivirus.md). ## Related topics -- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..e998e86722 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md @@ -0,0 +1,86 @@ +--- +title: Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection +description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection. +keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.reviewer: shwjha +manager: dansimp +ms.custom: nextgen +--- + +# Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. + +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) + +To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. + +>[!NOTE] +>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. + +With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Microsoft Defender Antivirus in action: + + + +To understand how next-generation technologies shorten protection delivery time through the cloud, watch the following video: + + + +Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI: + +- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-microsoft-defender-antivirus-is-the-most-deployed-in-the-enterprise/) +- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) +- [How artificial intelligence stopped an Emotet outbreak](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/) +- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-microsoft-defender-antivirus-and-layered-machine-learning-defenses/) +- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/microsoft-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/) + +## Get cloud-delivered protection + +Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies. + +Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update. + +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + +The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager. + +|OS version or service application |Cloud-protection service label |Reporting level (MAPS membership level) |Cloud block timeout period | +|---------|---------|---------|---------| +|Windows 8.1 (Group Policy) |Microsoft Advanced Protection Service |Basic, Advanced |No | +|Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No | +|Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable | +|System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable | +|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | +|Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable | + +You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates). + + +## Tasks + +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. + +- [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. + +- [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. + +- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. + +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..a1ed7741c5 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md @@ -0,0 +1,58 @@ +--- +title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection" +description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings." +keywords: windows defender, antivirus, third party av +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.topic: article +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.reviewer: +manager: dansimp +--- + +# Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) + +Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). + +Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Microsoft Defender Antivirus together with Microsoft Defender ATP. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. + +## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender ATP + +| |Advantage |Why it matters | +|--|--|--| +|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | +|2|Threat analytics and your configuration score |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [configuration score](../microsoft-defender-atp/configuration-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | +|3|Performance |Microsoft Defender ATP is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| +|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| +|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| +|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| +|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).| +|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | +|9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | +|10|File recovery via OneDrive |If you are using Microsoft Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| +|11|Technical support |By using Microsoft Defender ATP together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). | + + +## Learn more + +[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) + +[Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) + + + + + + diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md new file mode 100644 index 0000000000..35f40da2a5 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md @@ -0,0 +1,7 @@ +# [Microsoft Defender Application Guard](md-app-guard-overview.md) + +## [System requirements](reqs-md-app-guard.md) +## [Install WDAG](install-md-app-guard.md) +## [Configure WDAG policies](configure-md-app-guard.md) +## [Test scenarios](test-scenarios-md-app-guard.md) +## [FAQ](faq-md-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md new file mode 100644 index 0000000000..121ed70fbe --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -0,0 +1,66 @@ +--- +title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) +description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.date: 10/17/2017 +ms.reviewer: +manager: dansimp +ms.custom: asr +--- + +# Configure Microsoft Defender Application Guard policy settings + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. + +Application Guard uses both network isolation and application-specific settings. + +## Network isolation settings + +These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. + +>[!NOTE] +>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy. + + + +|Policy name|Supported versions|Description| +|-----------|------------------|-----------| +|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| + +## Network isolation settings wildcards + +|Value|Number of dots to the left|Meaning| +|-----|--------------------------|-------| +|`contoso.com`|0|Trust only the literal value of `contoso.com`.| +|`www.contoso.com`|0|Trust only the literal value of `www.contoso.com`.| +|`.contoso.com`|1|Trust any domain that ends with the text `contoso.com`. Matching sites include `spearphishingcontoso.com`, `contoso.com`, and `www.contoso.com`.| +|`..contoso.com`|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include `shop.contoso.com`, `us.shop.contoso.com`, `www.us.shop.contoso.com`, but NOT `contoso.com` itself.| + +## Application-specific settings +These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard**, can help you to manage your company's implementation of Application Guard. + +|Name|Supported versions|Description|Options| +|-----------|------------------|-----------|-------| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

        Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
        -Disable the clipboard functionality completely when Virtualization Security is enabled.
        - Enable copying of certain content from Application Guard into Microsoft Edge.
        - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

        **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

        Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
        - Enable Application Guard to print into the XPS format.
        - Enable Application Guard to print into the PDF format.
        - Enable Application Guard to print to locally attached printers.
        - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

        **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

        **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

        Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

        **Disabled or not configured.** All user data within Application Guard is reset between sessions.

        **Note**
        If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
        **To reset the container:**
        1. Open a command-line program and navigate to `Windows/System32`.
        2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
        3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
        - Enable Microsoft Defender Application Guard only for Microsoft Edge
        - Enable Microsoft Defender Application Guard only for Microsoft Office
        - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

        **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system.

        **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

        Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

        **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

        Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

        **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

        Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

        **Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| +|Allow users to trust files that open in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.

        **Disabled or not configured.** Users are unable to manually trust files and files continue to open in Microsoft Defender Application Guard.| + + diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md similarity index 66% rename from windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md rename to windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 1e8839b354..0a946cec7c 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -1,6 +1,6 @@ --- -title: FAQ - Windows Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Windows Defender Application Guard. +title: FAQ - Microsoft Defender Application Guard (Windows 10) +description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -8,17 +8,17 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/04/2019 +ms.date: 06/02/2020 ms.reviewer: manager: dansimp ms.custom: asr --- -# Frequently asked questions - Windows Defender Application Guard +# Frequently asked questions - Microsoft Defender Application Guard **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. +Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. ## Frequently Asked Questions @@ -49,13 +49,13 @@ To help keep the Application Guard Edge session secure and isolated from the hos Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. -### How do I configure Windows Defender Application Guard to work with my network proxy (IP-Literal Addresses)? +### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? -Windows Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. +Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. ### Which Input Method Editors (IME) in 19H1 are not supported? -The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Windows Defender Application Guard. +The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard. - Vietnam Telex keyboard - Vietnam number key-based keyboard - Hindi phonetic keyboard @@ -83,12 +83,27 @@ To trust a subdomain, you must precede your domain with two dots, for example: ` ### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? -When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). +When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). ### Is there a size limit to the domain lists that I need to configure? Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383B limit. -### Why does my encryption driver break Windows Defender Application Guard? +### Why does my encryption driver break Microsoft Defender Application Guard? + +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). + +### Why do the Network Isolation policies in Group Policy and CSP look different? + +There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatary network isolation policies to deploy WDAG are different between CSP and GP. + +Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources" +Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)" +For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + +Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`). + +### Why did Application Guard stop working after I turned off hyperthreading? + +If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. -Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg b/windows/security/threat-protection/microsoft-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg new file mode 100644 index 0000000000..428f96e9b5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-clipboard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-clipboard.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-download.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-download.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-download.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-download.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-persistence.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-persistence.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-print.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-print.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-vgpu.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-vgpu.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-vgpu.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-vgpu.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-new-window.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-new-window.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-new-window.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-new-window.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-visual-cues.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-visual-cues.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/application-guard-container-v-host.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/application-guard-container-v-host.png diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on-off.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on-off.png new file mode 100644 index 0000000000..fe4236c8cf Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on-off.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png similarity index 100% rename from windows/security/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png rename to windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md new file mode 100644 index 0000000000..8aba080ae4 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -0,0 +1,123 @@ +--- +title: Enable hardware-based isolation for Microsoft Edge (Windows 10) +description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.date: 02/19/2019 +ms.reviewer: +manager: dansimp +ms.custom: asr +--- + +# Prepare to install Microsoft Defender Application Guard + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Review system requirements + +See [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard) to review the hardware and software installation requirements for Microsoft Defender Application Guard. +>[!NOTE] +>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. + +## Prepare for Microsoft Defender Application Guard +Before you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. + +### Standalone mode + +Applies to: +- Windows 10 Enterprise edition, version 1709 or higher +- Windows 10 Pro edition, version 1803 + +Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario. + +## Enterprise-managed mode + +Applies to: +- Windows 10 Enterprise edition, version 1709 or higher + +You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. + +The following diagram shows the flow between the host PC and the isolated container. +![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) + +## Install Application Guard + +Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. + +### To install by using the Control Panel + +1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. + + ![Windows Features, turning on Microsoft Defender Application Guard](images/turn-windows-features-on-off.png) + +2. Select the check box next to **Microsoft Defender Application Guard** and then click **OK**. + + Application Guard and its underlying dependencies are all installed. + +### To install by using PowerShell + +>[!NOTE] +>Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. + +1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. + +2. Right-click **Windows PowerShell**, and then click **Run as administrator**. + + Windows PowerShell opens with administrator credentials. + +3. Type the following command: + + ``` + Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard + ``` +4. Restart the device. + + Application Guard and its underlying dependencies are all installed. + +### To install by using Intune + +> [!IMPORTANT] +> Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). + +:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune"::: + +1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. + +1. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
        + + 1. In the **Platform** list, select **Windows 10 and later**. + + 1. In the **Profile** list, select **Endpoint protection**. + + 1. Choose **Create**. + +1. Specify the following settings for the profile: + + - **Name** and **Description** + + - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**. + + - In the **Application Guard** list, choose **Enabled for Edge**. + + - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings. + +1. Choose **OK**, and then choose **OK** again. + +1. Review your settings, and then choose **Create**. + +1. Choose **Assignments**, and then do the following: + + 1. On the **Include** tab, in the **Assign to** list, choose an option. + + 1. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab. + + 1. Click **Save**. + +After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. + diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md similarity index 63% rename from windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md rename to windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 390bee5992..9a278e3b9b 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Application Guard (Windows 10) -description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +title: Microsoft Defender Application Guard (Windows 10) +description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,11 +14,11 @@ manager: dansimp ms.custom: asr --- -# Windows Defender Application Guard overview +# Microsoft Defender Application Guard overview **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. +Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? @@ -44,8 +44,8 @@ Application Guard has been created to target several types of systems: |Article |Description | |------|------------| -|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| -|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| -|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| -|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| -|[Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| \ No newline at end of file +|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| +|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| +|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.| +|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| +|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md similarity index 64% rename from windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md rename to windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 5c81b7eb36..5757f18c10 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -1,6 +1,6 @@ --- -title: System requirements for Windows Defender Application Guard (Windows 10) -description: Learn about the system requirements for installing and running Windows Defender Application Guard. +title: System requirements for Microsoft Defender Application Guard (Windows 10) +description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,17 +14,17 @@ manager: dansimp ms.custom: asr --- -# System requirements for Windows Defender Application Guard +# System requirements for Microsoft Defender Application Guard **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. >[!NOTE] ->Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. +>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements -Your environment needs the following hardware to run Windows Defender Application Guard. +Your environment needs the following hardware to run Microsoft Defender Application Guard. |Hardware|Description| |--------|-----------| @@ -35,11 +35,10 @@ Your environment needs the following hardware to run Windows Defender Applicatio |Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| ## Software requirements -Your environment needs the following software to run Windows Defender Application Guard. +Your environment needs the following software to run Microsoft Defender Application Guard. |Software|Description| |--------|-----------| |Operating system|Windows 10 Enterprise edition, version 1709 or higher
        Windows 10 Professional edition, version 1803 or higher
        Windows 10 Professional for Workstations edition, version 1803 or higher
        Windows 10 Professional Education edition version 1803 or higher
        Windows 10 Education edition, version 1903 or higher
        Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| |Management system
        (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

        **-OR-**

        [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/)

        **-OR-**

        [Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

        **-OR-**

        Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| -|Windows Defender Exploit Protection settings|The following settings should be configured or verified in the **Windows Security** app under **App & browser control** > **Exploit protection** > **Exploit protection settings** > **System Settings**.

        **Control flow guard (CFG)** must be set to **Use default (On)** or **Off by default**. If set to **On by default**, [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard) will not launch.

        **Randomize memory allocations (Bottom-up ASLR)** must be set to **Use default (On)** or **Off by default**. If set to "On by default", the `Vmmem` process will have high CPU utilization while a Windows Defender Application Guard window is open.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md similarity index 74% rename from windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md rename to windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 6f9c6ff4ff..e2a6d3e0ec 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -1,6 +1,6 @@ --- -title: Testing scenarios with Windows Defender Application Guard (Windows 10) -description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. +title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) +description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -8,7 +8,6 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/15/2019 ms.reviewer: manager: dansimp ms.custom: asr @@ -28,9 +27,9 @@ We've come up with a list of scenarios that you can use to test hardware-based i You can see how an employee would use standalone mode with Application Guard. -**To test Application Guard in Standalone mode** +### To test Application Guard in Standalone mode -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. @@ -53,7 +52,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard#install-application-guard). 2. Restart the device and then start Microsoft Edge. @@ -73,7 +72,7 @@ Before you can use Application Guard in enterprise mode, you must install Window ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) -4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. +4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Enterprise Mode** setting. 5. Click **Enabled**, choose Option **1**, and click **OK**. @@ -84,11 +83,11 @@ Before you can use Application Guard in enterprise mode, you must install Window 6. Start Microsoft Edge and type www.microsoft.com. - After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) -7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. +7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. @@ -109,12 +108,12 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. **Applies to:** -- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 #### Copy and paste options -1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**. 2. Click **Enabled** and click **OK**. @@ -140,7 +139,7 @@ You have the option to change each of these settings to work with your enterpris #### Print options -1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard print** settings. 2. Click **Enabled** and click **OK**. @@ -152,7 +151,7 @@ You have the option to change each of these settings to work with your enterpris #### Data persistence options -1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow data persistence for Microsoft Defender Application Guard** setting. 2. Click **Enabled** and click **OK**. @@ -169,15 +168,15 @@ You have the option to change each of these settings to work with your enterpris The previously added site should still appear in your **Favorites** list. >[!NOTE] - >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

        If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

        **To reset the container, follow these steps:**
        1. Open a command-line program and navigate to Windows/System32.
        2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
        3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. + >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

        If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

        **To reset the container, follow these steps:**
        1. Open a command-line program and navigate to Windows/System32.
        2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
        3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. **Applies to:** -- Windows 10 Enterpise edition, version 1803 +- Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 #### Download options -1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow files to download and save to the host operating system from Microsoft Defender Application Guard** setting. 2. Click **Enabled** and click **OK**. @@ -185,13 +184,13 @@ You have the option to change each of these settings to work with your enterpris 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Download a file from Windows Defender Application Guard. +4. Download a file from Microsoft Defender Application Guard. 5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. #### Hardware acceleration options -1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow hardware-accelerated rendering for Microsoft Defender Application Guard** setting. 2. Click **Enabled** and click **OK**. @@ -202,12 +201,12 @@ You have the option to change each of these settings to work with your enterpris 4. Assess the visual experience and battery performance. **Applies to:** -- Windows 10 Enterpise edition, version 1809 +- Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 #### File trust options -1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting. 2. Click **Enabled**, set **Options** to 2, and click **OK**. @@ -221,7 +220,7 @@ You have the option to change each of these settings to work with your enterpris #### Camera and microphone options -1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting. 2. Click **Enabled** and click **OK**. @@ -235,7 +234,7 @@ You have the option to change each of these settings to work with your enterpris #### Root certificate sharing options -1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device** setting. 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 0e8ba41a5c..e520b394a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -22,30 +22,34 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - ## API description + Adds or remove tag to a specific [Machine](machine.md). - ## Limitations + 1. You can post on machines last seen in the past 30 days. + 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. ## Permissions + One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) -Permission type | Permission | Permission display name +Permission type | Permission | Permission display name :---|:---|:--- -Application | Machine.ReadWrite.All | 'Read and write all machine information' +Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles.md) for more information) +> +>- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information) >- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request + ``` POST https://api.securitycenter.windows.com/api/machines/{id}/tags ``` @@ -58,17 +62,18 @@ Authorization | String | Bearer {token}. **Required**. Content-Type | string | application/json. **Required**. ## Request body + In the request body, supply a JSON object with the following parameters: -Parameter | Type | Description +Parameter | Type | Description :---|:---|:--- -Value | String | The tag name. **Required**. -Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**. +Value | String | The tag name. **Required**. +Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**. ## Response -If successful, this method returns 200 - Ok response code and the updated Machine in the response body. +If successful, this method returns 200 - Ok response code and the updated Machine in the response body. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 798540594f..1261d7fa01 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -20,6 +20,7 @@ ms.topic: article # Configure advanced features in Microsoft Defender ATP **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) @@ -30,32 +31,36 @@ Use the following advanced features to get better protected from potentially mal ## Automated investigation -When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md). +Turn on this feature to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md). ## Live response -When you enable this feature, users with the appropriate permissions can initiate a live response session on machines. +Turn on this feature so that users with the appropriate permissions can start a live response session on machines. -For more information on role assignments see, [Create and manage roles](user-roles.md). +For more information about role assignments, see [Create and manage roles](user-roles.md). ## Live response unsigned script execution Enabling this feature allows you to run unsigned scripts in a live response session. -## Auto-resolve remediated alerts +## Autoresolve remediated alerts -For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature. +For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature. >[!TIP] >For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page. >[!NOTE] -> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine. +> +>- The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine. >- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it. ## Allow or block file -Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled. +Blocking is only available if your organization fulfills these requirements: + +- Uses Microsoft Defender Antivirus as the active antimalware solution and, +- The cloud-based protection feature is enabled This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization. @@ -69,24 +74,22 @@ To turn **Allow or block** files on: 1. Select **Save preferences** at the bottom of the page. -Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page. - +After turning on this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page. ## Custom network indicators -Enabling this feature allows you to create indicators for IP addresses, domains, or URLs which determine whether they will be allowed or blocked based on your custom indicator list. +Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list. -To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834). +To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834). For more information, see [Manage indicators](manage-indicators.md). >[!NOTE] >Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data. - ## Show user details -When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views: +Turn on this feature so that you can see user details stored in Azure Active Directory. Details include a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views: - Security operations dashboard - Alert queue @@ -110,25 +113,25 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct ## Microsoft Secure Score -Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning this feature on gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. +Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. ### Enable the Microsoft Defender ATP integration from the Azure ATP portal To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. -1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. +1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. 2. Click **Create your instance**. 3. Toggle the Integration setting to **On** and click **Save**. -When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page. +After completing the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page. ## Office 365 Threat Intelligence connection This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. -When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. +When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows machines. >[!NOTE] >You'll need to have the appropriate license to enable this feature. @@ -137,7 +140,7 @@ To receive contextual machine integration in Office 365 Threat Intelligence, you ## Microsoft Threat Experts -Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it. +Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it. >[!NOTE] >The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). @@ -151,11 +154,11 @@ Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud ## Azure Information Protection -Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings. +Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded machines and machine risk ratings. ## Microsoft Intune connection -Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [enable this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement. +Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement. >[!IMPORTANT] >You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md). @@ -176,7 +179,7 @@ When you enable Intune integration, Intune will automatically create a classic C Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. -You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. +You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available. ## Enable advanced features diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 8956d5c3a9..b5b530d85f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -25,7 +25,7 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. +The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md similarity index 85% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md index f386c93d96..4d1315f233 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md @@ -1,7 +1,7 @@ --- -title: DeviceFileCertificateInfoBeta table in the advanced hunting schema -description: Learn about file signing information in the DeviceFileCertificateInfoBeta table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfoBeta +title: DeviceFileCertificateInfo table in the advanced hunting schema +description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 01/14/2020 --- -# DeviceFileCertificateInfoBeta +# DeviceFileCertificateInfo **Applies to:** @@ -26,9 +26,7 @@ ms.date: 01/14/2020 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -[!include[Prerelease information](../../includes/prerelease.md)] - -The `DeviceFileCertificateInfoBeta` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints. +The `DeviceFileCertificateInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md similarity index 98% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index 7900a4dce4..d58f79d5f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -1,53 +1,53 @@ ---- -title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema -description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/12/2019 ---- - -# DeviceTvmSecureConfigurationAssessment - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) - -[!include[Prerelease information](../../includes/prerelease.md)] - -Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant. - -For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). - -| Column name | Data type | Description | -|-------------|-----------|-------------| -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| -| `Timestamp` | datetime |Date and time when the record was generated | -| `ConfigurationId` | string | Unique identifier for a specific configuration | -| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | -| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | -| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | -| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured | - - -## Related topics - -- [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +--- +title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema +description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/12/2019 +--- + +# DeviceTvmSecureConfigurationAssessment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| `Timestamp` | datetime |Date and time when the record was generated | +| `ConfigurationId` | string | Unique identifier for a specific configuration | +| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | +| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | +| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured | + + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md similarity index 98% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index c5a3a9fbda..f30af239df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -1,53 +1,53 @@ ---- -title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema -description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/12/2019 ---- - -# DeviceTvmSecureConfigurationAssessmentKB - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) - -[!include[Prerelease information](../../includes/prerelease.md)] - -The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table. - -For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). - -| Column name | Data type | Description | -|-------------|-----------|-------------| -| `ConfigurationId` | string | Unique identifier for a specific configuration | -| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | -| `ConfigurationName` | string | Display name of the configuration | -| `ConfigurationDescription` | string | Description of the configuration | -| `RiskDescription` | string | Description of the associated risk | -| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| -| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | -| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration | -| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration | -| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration | - -## Related topics - -- [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +--- +title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema +description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/12/2019 +--- + +# DeviceTvmSecureConfigurationAssessmentKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `ConfigurationId` | string | Unique identifier for a specific configuration | +| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | +| `ConfigurationName` | string | Display name of the configuration | +| `ConfigurationDescription` | string | Description of the configuration | +| `RiskDescription` | string | Description of the associated risk | +| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration | +| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration | +| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration | + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md similarity index 98% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index 0dcf6e3af5..384b79a65a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -1,56 +1,56 @@ ---- -title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema -description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/12/2019 ---- - -# DeviceTvmSoftwareInventoryVulnerabilities - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) - - -[!include[Prerelease information](../../includes/prerelease.md)] - -The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. - -For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). - -| Column name | Data type | Description | -|-------------|-----------|-------------| -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | -| `OSVersion` | string | Version of the operating system running on the machine | -| `OSArchitecture` | string | Architecture of the operating system running on the machine | -| `SoftwareVendor` | string | Name of the software vendor | -| `SoftwareName` | string | Name of the software product | -| `SoftwareVersion` | string | Version number of the software product | -| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | -| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | - - - -## Related topics - -- [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +--- +title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema +description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/12/2019 +--- + +# DeviceTvmSoftwareInventoryVulnerabilities + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + + +[!include[Prerelease information](../../includes/prerelease.md)] + +The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| `OSVersion` | string | Version of the operating system running on the machine | +| `OSArchitecture` | string | Architecture of the operating system running on the machine | +| `SoftwareVendor` | string | Name of the software vendor | +| `SoftwareName` | string | Name of the software product | +| `SoftwareVersion` | string | Version number of the software product | +| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | +| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | + + + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md similarity index 98% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index 5af1cfe1f1..2ba11df0c9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -1,51 +1,51 @@ ---- -title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema -description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/12/2019 ---- - -# DeviceTvmSoftwareVulnerabilitiesKB - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) - -[!include[Prerelease information](../../includes/prerelease.md)] - -The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table. - -For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). - -| Column name | Data type | Description | -|-------------|-----------|-------------| -| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | -| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) | -| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available | -| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | -| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified | -| `PublishedDate` | datetime | Date vulnerability was disclosed to public | -| `VulnerabilityDescription` | string | Description of vulnerability and associated risks | -| `AffectedSoftware` | string | List of all software products affected by the vulnerability | - -## Related topics - -- [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +--- +title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema +description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/12/2019 +--- + +# DeviceTvmSoftwareVulnerabilitiesKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | +| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) | +| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available | +| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | +| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified | +| `PublishedDate` | datetime | Date vulnerability was disclosed to public | +| `VulnerabilityDescription` | string | Description of vulnerability and associated risks | +| `AffectedSoftware` | string | List of all software products affected by the vulnerability | + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 0a28ea14cd..977cd7c2dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -23,7 +23,7 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) -Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. +Advanced hunting is a query-based threat-hunting tool that lets you explore raw data for the last 30 days. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. @@ -54,4 +54,4 @@ Take advantage of the following functionality to write queries faster: - [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) -- [Custom detections overview](overview-custom-detections.md) \ No newline at end of file +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index e90dbf5e55..8aa65eadc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -46,12 +46,12 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries | | **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events | | **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events | -| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | -| **[DeviceFileCertificateInfoBeta](advanced-hunting-devicefilecertificateinfobeta-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints | -| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products | -| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available | -| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | -| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks | +| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection | +| **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints | +| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products | +| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available | +| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | +| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index de3d5741a4..b661399a57 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -52,6 +52,9 @@ You can save a new or existing query so that it is only accessible to you or sha 2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query. +## Create a direct link to a query +To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select **Share link**. + ## Access queries in the GitHub repository Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index 6255da37f0..34e1b7c512 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -21,11 +21,12 @@ ms.date: 03/27/2020 # View and organize the Microsoft Defender Advanced Threat Protection Alerts queue **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) -The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first. +The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first. >[!NOTE] >The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md). @@ -33,6 +34,7 @@ The **Alerts queue** shows a list of alerts that were flagged from machines in y There are several options you can choose from to customize the alerts queue view. On the top navigation you can: + - Select grouped view or list view - Customize columns to add or remove columns - Select the items to show per page @@ -42,32 +44,36 @@ On the top navigation you can: ![Image of alerts queue](images/alerts-queue-list.png) ## Sort, filter, and group the alerts queue + You can apply the following filters to limit the list of alerts and get a more focused view the alerts. ### Severity Alert severity | Description :---|:--- -High
        (Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Some examples of these are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. +High
        (Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on machines. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. Medium
        (Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack. -Low
        (Yellow) | Alerts on threats associated with prevalent malware, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization. +Low
        (Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization. Informational
        (Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues. #### Understanding alert severity -It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes. -The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected. +Microsoft Defender Antivirus (Microsoft Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes. + +The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected. The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. So, for example: -- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. -- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. + +- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. - An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". -- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. +- Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. #### Understanding alert categories -We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names. + +We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names. The table below lists the current categories and how they generally map to previous categories. @@ -92,39 +98,43 @@ The table below lists the current categories and how they generally map to previ ### Status + You can choose to limit the list of alerts based on their status. ### Investigation state + Corresponds to the automated investigation state. ### Category + You can choose to filter the queue to display specific types of malicious activity. ### Assigned to + You can choose between showing alerts that are assigned to you or automation. ### Detection source -Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts managed hunting service. + +Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service. >[!NOTE] ->The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product. +>The Microsoft Defender Antivirus filter will only appear if machines are using Microsoft Defender Antivirus as the default real-time protection antimalware product. ### OS platform + Limit the alerts queue view by selecting the OS platform that you're interested in investigating. ### Machine group -If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups. + +If you have specific machine groups that you're interested in checking, you can select the groups to limit the alerts queue view. ### Associated threat + Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md). - - - - - ## Related topics + - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 62a32da91b..5508ee20b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -12,7 +12,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article --- @@ -20,9 +20,10 @@ ms.topic: article **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Methods + Method |Return Type |Description :---|:---|:--- [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. @@ -37,7 +38,8 @@ Method |Return Type |Description ## Properties -Property | Type | Description + +Property | Type | Description :---|:---|:--- id | String | Alert ID. title | String | Alert title. @@ -45,15 +47,15 @@ description | String | Alert description. alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created. lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine. firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine. -lastUpdateTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine. +lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated. resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. -incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. -investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert. +incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. +investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert. investigationState | Nullable Enum | The current state of the [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'. assignedTo | String | Owner of the alert. severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. -classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. +classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. category| String | Category of the alert. detectionSource | String | Detection source. @@ -61,7 +63,6 @@ threatFamilyName | String | Threat family. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. - ### Response example for getting single alert: ``` @@ -73,7 +74,7 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929 "id": "da637084217856368682_-292920499", "incidentId": 66860, "investigationId": 4416234, - "investigationState": "Running", + "investigationState": "Running", "assignedTo": "secop@contoso.com", "severity": "Low", "status": "New", diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md index 7558960aa6..891d09df60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md @@ -1,7 +1,7 @@ --- title: API Explorer in Microsoft Defender ATP ms.reviewer: -description: Use the API Explorer to construct and perform API queries, test and send requests for any available API +description: Use the API Explorer to construct and do API queries, test, and send requests for any available API keywords: api, explorer, send, request, get, post, search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -19,14 +19,16 @@ ms.topic: conceptual --- # API Explorer + **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively. -The API Explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. You can also use the API Explorer to perform actions or find data that might not yet be available through the user interface. +The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Microsoft Defender ATP API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface. -The tool is useful during app development because it allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens. +The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens. You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug information. @@ -34,26 +36,30 @@ With the API Explorer, you can: - Run requests for any method and see responses in real-time - Quickly browse through the API samples and learn what parameters they support -- Make API calls with ease; no need to authenticate beyond the management portal sign-in +- Make API calls with ease; no need to authenticate beyond the management portal sign in ## Access API Explorer + From the left navigation menu, select **Partners & APIs** > **API Explorer**. -## Supported APIs +## Supported APIs + API Explorer supports all the APIs offered by Microsoft Defender ATP. The list of supported APIs is available in the [APIs documentation](apis-intro.md). ## Get started with the API Explorer + 1. In the left pane, there is a list of sample requests that you can use. 2. Follow the links and click **Run query**. -Some of the samples may require specifying a parameter in the URL, for example, {machine- id}. +Some of the samples may require specifying a parameter in the URL, for example, {machine- ID}. ## FAQ + **Do I need to have an API token to use the API Explorer?**
        -Credentials to access an API are not needed since the API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request. +Credentials to access an API aren't needed. The API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request. The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf. -Specific API requests are limited based on your RBAC privileges; for example, a request to "Submit indicator" is limited to the security admin role. +Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index c27bcf9d6b..1cd0814c99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender ATP Flow connector ms.reviewer: -description: Microsoft Defender ATP Flow connector +description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant. keywords: flow, supported apis, api, Microsoft flow, query, automation search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,61 +21,61 @@ ms.topic: article **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within few minutes. +Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes. -Microsoft Defender API has an official Flow Connector with a lot of capabilities: +Microsoft Defender API has an official Flow Connector with many capabilities. ![Image of edit credentials](images/api-flow-0.png) ## Usage example -The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs on your tenant. +The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant. -- Login to [Microsoft Flow](https://flow.microsoft.com) +1. Log in to [Microsoft Power Automate](https://flow.microsoft.com). -- Go to: My flows > New > Automated +2. Go to **My flows** > **New** > **Automated-from blank**. -![Image of edit credentials](images/api-flow-1.png) + ![Image of edit credentials](images/api-flow-1.png) -- Choose a name for your Flow, Search for **Microsoft Defender ATP Triggers** as the trigger and choose the new Alerts trigger. +3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger. -![Image of edit credentials](images/api-flow-2.png) + ![Image of edit credentials](images/api-flow-2.png) -- Now you have a Flow that is triggered every time a new Alert occurs. +Now you have a Flow that is triggered every time a new Alert occurs. ![Image of edit credentials](images/api-flow-3.png) -All you need to do now, is to choose your next steps. -Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it. -The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities. +All you need to do now is choose your next steps. +For example, you can isolate the machine if the Severity of the Alert is High and send an email about it. +The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities. -### Get the Alert entity using the connector +### Get the Alert entity using the connector -- Choose Microsoft Defender ATP for new step. +1. Choose **Microsoft Defender ATP** for the new step. -- Choose Alerts - Get single alert API. +2. Choose **Alerts - Get single alert API**. -- Set the Alert Id from the last step as Input. +3. Set the **Alert ID** from the last step as **Input**. -![Image of edit credentials](images/api-flow-4.png) + ![Image of edit credentials](images/api-flow-4.png) ### Isolate the machine if the Alert's severity is High -- Add **Condition** as a new step . +1. Add **Condition** as a new step. -- Check if Alert severity equals to **High**. +2. Check if the Alert severity **is equal to** High. -- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment. + If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment. -![Image of edit credentials](images/api-flow-5.png) + ![Image of edit credentials](images/api-flow-5.png) -Now you can add a new step for mailing about the Alert and the Isolation. -There are multiple Email connectors that are very easy to use, e.g. Outlook, GMail, etc.. -Save your flow and that's all. +3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail. -- You can also create **scheduled** flow that will run Advanced Hunting queries and much more! +4. Save your flow. + +You can also create a **scheduled** flow that runs Advanced Hunting queries and much more! ## Related topic - [Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 3b57273926..2fdc0af72f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -28,8 +28,9 @@ ms.topic: article Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Detections API fields and portal mapping The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. @@ -42,23 +43,23 @@ Field numbers match the numbers in the images below. > > | Portal label | SIEM field name | ArcSight field | Example value | Description | > |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. | +> | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. | > | 2 | Severity | deviceSeverity | High | Value available for every Detection. | > | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. | -> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. | +> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. | > | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. | > | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. | > | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. | > | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. | > | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. | > | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. | -> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV detections. | -> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV detections. | -> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV detections. | +> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. | +> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. | +> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Microsoft Defender AV detections. | > | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. | > | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. | -> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. | -> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. | +> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. | +> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. | > | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. | > | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. | > | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. | @@ -91,7 +92,6 @@ Field numbers match the numbers in the images below. ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index b05666bfbf..cb5955d6d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender ATP APIs connection to Power BI ms.reviewer: -description: Create custom reports using Power BI +description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs. keywords: apis, supported apis, Power BI, reports search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -25,7 +25,7 @@ ms.topic: article In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs. -The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..) +The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts. ## Connect Power BI to Advanced Hunting API diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 9f14575d2d..ffa10fbfc2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -23,25 +23,27 @@ ms.custom: asr * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -**Is attack surface reduction (ASR) part of Windows?** +## Is attack surface reduction (ASR) part of Windows? -ASR was originally a feature of the suite of exploit guard features introduced as a major update to Windows Defender Antivirus, in Windows 10 version 1709. Windows Defender Antivirus is the native antimalware component of Windows. However, please note that the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Windows Defender Antivirus exclusions. +ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. -**Do I need to have an enterprise license to run ASR rules?** +## Do I need to have an enterprise license to run ASR rules? -The full set of ASR rules and features are only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license, if you have Microsoft 365 Business, set Windows Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full feature-set of ASR will not be available. +The full set of ASR rules and features is only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license. If you have Microsoft 365 Business, set Microsoft Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full capabilities of ASR will not be available. -**Is ASR supported if I have an E3 license?** +To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). -Yes. ASR is supported for Windows Enterprise E3 and above. See [Use attack surface reduction rules in Windows 10 Enterprise E3](attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) for more details. +## Is ASR supported if I have an E3 license? -**Which features are supported with an E5 license?** +Yes. ASR is supported for Windows Enterprise E3 and above. + +## Which features are supported with an E5 license? All of the rules supported with E3 are also supported with E5. E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. -**What are the the currently supported ASR rules??** +## What are the currently supported ASR rules? ASR currently supports all of the rules below: @@ -52,8 +54,8 @@ ASR currently supports all of the rules below: * [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content) * [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts) * [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros) -* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware) -* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) +* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware) +* [Block credential stealing from the Windows local security authority subsystem](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) (lsass.exe) * [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands) * [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb) * [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) @@ -61,39 +63,41 @@ ASR currently supports all of the rules below: * [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes) * [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription) -**What are some good recommendations for getting started with ASR?** +## What are some good recommendations for getting started with ASR? -It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR. +Test how ASR rules will impact your organization before enabling them by running ASR rules in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR. -Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool. +Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool. -**How long should I test an ASR rule in audit mode before enabling it?** +## How long should I test an ASR rule in audit mode before enabling it? -You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them. +Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them. -**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?** +## I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR? -Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a large number of exploits and vulnerabilities. +In most cases, it's easier and better to start with the baseline recommendations suggested by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. + +The default configuration for most ASR rules, combined with Microsoft Defender ATP's real-time protection, will protect against a large number of exploits and vulnerabilities. From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked. -**Does ASR support file or folder exclusions that include system variables and wildcards in the path?** +## Does ASR support file or folder exclusions that include system variables and wildcards in the path? -Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths. +Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths. -**Do ASR rules cover all applications by default?** +## Do ASR rules cover all applications by default? It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope. -**Does ASR support third-party security solutions?** +## Does ASR support third-party security solutions? ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time. -**I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?** +## I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline? Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP. -**I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.** +## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'. Try opening the indexing options directly from Windows 10. @@ -101,23 +105,23 @@ Try opening the indexing options directly from Windows 10. 1. Enter **Indexing options** into the search box. -**Are the criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*, configurable by an admin?** +## Are the criteria used by the rule, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," configurable by an admin? -No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered. +No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up to date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered. -**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?** +## I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong? This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. -Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode. +Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be reassessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with new versions of applications, you may opt instead to run this rule in audit mode. -**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?** +## I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on? -A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. +A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often targets lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. -Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning. +Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive number of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning. -**Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?** +## Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection? Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. @@ -127,4 +131,4 @@ Enabling this rule will not provide additional protection if you have [LSA prote * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) * [Customize attack surface reduction rules](customize-attack-surface-reduction.md) * [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) +* [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md deleted file mode 100644 index 8d2f79fd76..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Use attack surface reduction rules in Windows 10 Enterprise E3 -description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware -keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 10/15/2018 -ms.reviewer: -manager: dansimp -ms.custom: asr ---- - -# Use attack surface reduction rules in Windows 10 Enterprise E3 - -**Applies to:** - -- Windows 10 Enterprise E3 - -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. - -A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. - -Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. - -The limited subset of rules that can be used in Windows 10 Enterprise E3 include: - -- Block executable content from email client and webmail -- Block all Office applications from creating child processes -- Block Office applications from creating executable content -- Block Office applications from injecting code into other processes -- Block JavaScript or VBScript from launching downloaded executable content -- Block execution of potentially obfuscated scripts -- Block Win32 API calls from Office macro -- Use advanced protection against ransomware -- Block credential stealing from the Windows local security authority subsystem (lsass.exe) -- Block process creations originating from PSExec and WMI commands -- Block untrusted and unsigned processes that run from USB - -For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md). - - ## Related topics - -Topic | Description ----|--- -[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. -[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. -[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 828455927c..89b074632e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -23,16 +23,13 @@ ms.custom: asr * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks. Attack surface reduction rules target software behaviors that are often abused by attackers, such as: -* Launching executable files and scripts that attempt to download or run files -* Running obfuscated or otherwise suspicious scripts -* Performing behaviors that apps don't usually initiate during normal day-to-day work +- Launching executable files and scripts that attempt to download or run files +- Running obfuscated or otherwise suspicious scripts +- Performing behaviors that apps don't usually initiate during normal day-to-day work These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe. @@ -44,9 +41,13 @@ For more information about configuring attack surface reduction rules, see [Enab ## Attack surface reduction features across Windows versions -You can set attack surface reduction rules for computers running Windows 10 versions 1709 and 1803 or later, Windows Server version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. +You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. +To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center @@ -77,11 +78,11 @@ You can review the Windows event log to view events generated by attack surface This will create a custom view that filters events to only show the following, all of which are related to controlled folder access: -Event ID | Description --|- -5007 | Event when settings are changed -1121 | Event when rule fires in Block-mode -1122 | Event when rule fires in Audit-mode +|Event ID | Description | +|---|---| +|5007 | Event when settings are changed | +|1121 | Event when rule fires in Block-mode | +|1122 | Event when rule fires in Audit-mode | The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed. @@ -89,38 +90,42 @@ The "engine version" listed for attack surface reduction events in the event log The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: - Rule name | GUID | File & folder exclusions --|-|- -[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported -[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported -[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported -[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported -[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported -[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported -[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported -[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported -[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported -[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported -[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported -[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported -[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported -[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported -[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported +| Rule name | GUID | File & folder exclusions | Minimum OS supported | +|-----|----|---|---| +|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | ### Block executable content from email client and webmail This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers: -* Executable files (such as .exe, .dll, or .scr) -* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +- Executable files (such as .exe, .dll, or .scr) +- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Microsoft Endpoint Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail -GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` ### Block all Office applications from creating child processes @@ -128,27 +133,35 @@ This rule blocks Office apps from creating child processes. This includes Word, Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Office apps launching child processes Configuration Manager name: Block Office application from creating child processes -GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A +GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` ### Block Office applications from creating executable content This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. - Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. + Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager) Intune name: Office apps/macros creating executable content SCCM name: Block Office applications from creating executable content -GUID: 3B576869-A4EC-4529-8536-B80A7769E899 +GUID: `3B576869-A4EC-4529-8536-B80A7769E899` ### Block Office applications from injecting code into other processes @@ -160,13 +173,17 @@ There are no known legitimate business purposes for using code injection. This rule applies to Word, Excel, and PowerPoint. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Office apps injecting code into other processes (no exceptions) Configuration Manager name: Block Office applications from injecting code into other processes -GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` ### Block JavaScript or VBScript from launching downloaded executable content @@ -177,13 +194,17 @@ Although not common, line-of-business applications sometimes use scripts to down > [!IMPORTANT] > File and folder exclusions don't apply to this attack surface reduction rule. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: js/vbs executing payload downloaded from Internet (no exceptions) Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content -GUID: D3E037E1-3EB8-44C8-A917-57927947596D +GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` ### Block execution of potentially obfuscated scripts @@ -191,13 +212,17 @@ This rule detects suspicious properties within an obfuscated script. Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Obfuscated js/vbs/ps/macro code Configuration Manager name: Block execution of potentially obfuscated scripts. -GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` ### Block Win32 API calls from Office macros @@ -205,52 +230,61 @@ This rule prevents VBA macros from calling Win32 APIs. Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Win32 imports from Office macro code Configuration Manager name: Block Win32 API calls from Office macros -GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: -* Executable files (such as .exe, .dll, or .scr) +- Executable files (such as .exe, .dll, or .scr) -Launching untrusted or unknown executable files can be risky, as it may not not be initially clear if the files are malicious. - -> [!NOTE] -> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. +Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. > [!IMPORTANT] -> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

        The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. > >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria -GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 +GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` ### Use advanced protection against ransomware This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. > [!NOTE] -> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Advanced ransomware protection Configuration Manager name: Use advanced protection against ransomware -GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 +GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` ### Block credential stealing from the Windows local security authority subsystem @@ -261,31 +295,35 @@ LSASS authenticates users who log in to a Windows computer. Microsoft Defender C > [!NOTE] > In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Flag credential stealing from the Windows local security authority subsystem Configuration Manager name: Block credential stealing from the Windows local security authority subsystem -GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` ### Block process creations originating from PSExec and WMI commands This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network. -> [!IMPORTANT] -> File and folder exclusions do not apply to this attack surface reduction rule. - > [!WARNING] > Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) Intune name: Process creation from PSExec and WMI commands Configuration Manager name: Not applicable -GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c +GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c` ### Block untrusted and unsigned processes that run from USB @@ -294,13 +332,17 @@ With this rule, admins can prevent unsigned or untrusted executable files from r * Executable files (such as .exe, .dll, or .scr) * Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Untrusted and unsigned processes that run from USB Configuration Manager name: Block untrusted and unsigned processes that run from USB -GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` ### Block Office communication application from creating child processes @@ -311,13 +353,16 @@ This protects against social engineering attacks and prevents exploit code from > [!NOTE] > This rule applies to Outlook and Outlook.com only. -This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019 +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) Intune name: Process creation from Office communication products (beta) Configuration Manager name: Not yet available -GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 +GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` ### Block Adobe Reader from creating child processes @@ -325,13 +370,16 @@ This rule prevents attacks by blocking Adobe Reader from creating additional pro Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. -This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019 +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) Intune name: Process creation from Adobe Reader (beta) Configuration Manager name: Not yet available -GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` ### Block persistence through WMI event subscription @@ -339,17 +387,22 @@ This rule prevents malware from abusing WMI to attain persistence on a device. Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. -This rule was introduced in: Windows 10 1903, Windows Server 1903 +This rule was introduced in: +- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) +- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) Intune name: Block persistence through WMI event subscription Configuration Manager name: Not yet available -GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b +GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` ## Related topics -* [Attack surface reduction FAQ](attack-surface-reduction.md) -* [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) +- [Attack surface reduction FAQ](attack-surface-reduction.md) + +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) + +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) + +- [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md index cb5f42efe4..db8dec5ba9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md +++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md @@ -31,7 +31,7 @@ While the features will not block or prevent apps, scripts, or files from being To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**. -You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index fdb2c392fa..a04fe5d589 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -18,7 +18,9 @@ ms.topic: article # View details and results of automated investigations -Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)). +During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically. + +If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation. >[!NOTE] >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. @@ -27,12 +29,13 @@ Pending and completed [remediation actions](manage-auto-investigation.md#remedia ![Action center page](images/action-center.png) -The action center consists of two main tabs, as described in the following table. - -|Tab |Description | -|---------|---------| -|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject.

        **NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected). | -|History |Acts as an audit log for all of the following:
        - All actions taken by automated investigation and remediation in Microsoft Defender ATP
        Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
        - All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone)
        - Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) | +The action center consists of two main tabs: **Pending actions** and **History**. +- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected). +- **History** Acts as an audit log for all of the following items:
        + - Remediation actions that were taken as a result of an automated investigation + - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) + - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone) + - Remediation actions that were applied by Microsoft Defender Antivirus (some actions can be undone) Use the **Customize columns** menu to select columns that you'd like to show or hide. @@ -58,29 +61,30 @@ On the **Investigations** page, you can view details and use filters to focus on |---------|---------| |**Status** |(See [Automated investigation status](#automated-investigation-status)) | |**Triggering alert** | The alert that initiated the automated investigation | -|**Detection source** |The source of the alert that initiated the automated investigation. | -|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. | -|**Threat** |The category of threat detected during the automated investigation. | -|**Tags** |Filter using manually added tags that capture the context of an automated investigation.| -|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.| +|**Detection source** |The source of the alert that initiated the automated investigation | +|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. | +|**Threat** |The category of threat detected during the automated investigation | +|**Tags** |Filter using manually added tags that capture the context of an automated investigation| +|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't| ## Automated investigation status -An automated investigation can be have one of the following status values: +An automated investigation can have one of the following status values: |Status |Description | |---------|---------| -| No threats found | No malicious entities found during the investigation. | -| Failed | A problem has interrupted the investigation, preventing it from completing. | -| Partially remediated | A problem prevented the remediation of some malicious entities. | -| Pending action | Remediation actions require review and approval. | +| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. | +| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. | +| No threats found | The investigation has finished and no threats were identified.
        If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). | +| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. | +| Remediated | The investigation finished and all actions were approved (fully remediated). | +| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. | +| Terminated by system | The investigation stopped. An investigation can stop for several reasons:
        - The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
        - There are too many actions in the list.
        Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. | +| Failed | At least one investigation analyzer ran into a problem where it could not complete properly.

        If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. | +| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. | | Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | -| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. | -| Running | Investigation ongoing. Malicious entities found will be remediated. | -| Remediated | Malicious entities found were successfully remediated. | -| Terminated by system | Investigation was stopped by the system. | | Terminated by user | A user stopped the investigation before it could complete. | -| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | + ## View details about an automated investigation @@ -92,7 +96,7 @@ In this view, you'll see the name of the investigation, when it started and ende ### Investigation graph -The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. +The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. A progress ring shows two status indicators: - Orange ring - shows the pending portion of the investigation @@ -108,7 +112,7 @@ From this view, you can also view and add comments and tags about the investigat ### Alerts -The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. +The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned. Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. @@ -124,7 +128,7 @@ Machines that show the same threat can be added to an ongoing investigation and Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users. -Clicking on an machine name brings you the machine page. +Clicking on a machine name brings you the machine page. ### Evidence @@ -132,7 +136,7 @@ The **Evidence** tab shows details related to threats associated with this inves ### Entities -The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean. +The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or had no threats found. ### Log @@ -146,7 +150,7 @@ You can also click on an action to bring up the details pane where you'll see in ### Pending actions -If there are pending actions on an automated investigation, you'll see a pop up similar to the following image. +If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image. ![Image of pending actions](images/pending-actions.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 17a56b7252..3399f94ff8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -30,7 +30,7 @@ The automated investigation feature leverages various inspection algorithms, and ## How the automated investigation starts -When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated investigation. +When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. >[!NOTE] >Currently, automated investigation only supports the following OS versions: @@ -48,7 +48,7 @@ During and after an automated investigation, you can view details about the inve |**Alerts**| Shows the alert that started the investigation.| |**Machines** |Shows where the alert was seen.| |**Evidence** |Shows the entities that were found to be malicious during the investigation.| -|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *Clean*). | +|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | |**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.| |**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md new file mode 100644 index 0000000000..3d719200bc --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -0,0 +1,119 @@ +--- +title: Behavioral blocking and containment +description: Learn about behavioral blocking and containment capabilities in Microsoft Defender ATP +keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Behavioral blocking and containment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview + +Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised machines. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and machine learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security). + +Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities. + +:::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment"::: + +Behavioral blocking and containment capabilities work with multiple components and features of Microsoft Defender ATP to stop attacks immediately and prevent attacks from progressing. + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running. + +- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond. + +- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Microsoft Defender ATP processes and correlates these signals, raises detection alerts, and connects related alerts in incidents. + +With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks. + +The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities: + +:::image type="content" source="images/blocked-behav-alert.png" alt-text="Example of an alert through behavioral blocking and containment"::: + +## Components of behavioral blocking and containment + +- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) + +- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) + +- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) + +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.) + +Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap). + +## Examples of behavioral blocking and containment in action + +Behavioral blocking and containment capabilities have blocked attacker techniques such as the following: + +- Credential dumping from LSASS +- Cross-process injection +- Process hollowing +- User Account Control bypass +- Tampering with antivirus (such as disabling it or adding the malware as exclusion) +- Contacting Command and Control (C&C) to download payloads +- Coin mining +- Boot record modification +- Pass-the-hash attacks +- Installation of root certificate +- Exploitation attempt for various vulnerabilities + +Below are two real-life examples of behavioral blocking and containment in action. + +### Example 1: Credential theft attack against 100 organizations + +As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. + +Behavior-based machine learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain: +- The first protection layer detected the exploit behavior. Machine learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. +- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot). + +While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): + +:::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center"::: + +This example shows how behavior-based machine learning models in the cloud add new layers of protection against attacks, even after they have started running. + +### Example 2: NTML relay - Juicy Potato malware variant + +As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered. + +:::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware"::: + +The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device. + +Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image: + +:::image type="content" source="images/Artifactblockedjuicypotato.png" alt-text="Artifact blocked"::: + +A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device. + +This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically. + +## Next steps + +- [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) + +- [Configure your attack surface reduction rules](attack-surface-reduction.md) + +- [Enable EDR in block mode](edr-in-block-mode.md) + +- [See recent global threat activity](https://www.microsoft.com/wdsi/threats) + +- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md new file mode 100644 index 0000000000..19fabebbdf --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md @@ -0,0 +1,90 @@ +--- +title: Client behavioral blocking +description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender ATP +keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Client behavioral blocking + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview + +Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. + +:::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection"::: + +Antivirus protection works best when paired with cloud protection. + +## How client behavioral blocking works + +[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device. + +Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization. + +## Behavior-based detections + +Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed: + + +|Tactic | Detection threat name | +|----|----| +|Initial Access | Behavior:Win32/InitialAccess.*!ml | +|Execution | Behavior:Win32/Execution.*!ml | +|Persistence | Behavior:Win32/Persistence.*!ml | +|Privilege Escalation | Behavior:Win32/PrivilegeEscalation.*!ml | +|Defense Evasion | Behavior:Win32/DefenseEvasion.*!ml | +|Credential Access | Behavior:Win32/CredentialAccess.*!ml | +|Discovery | Behavior:Win32/Discovery.*!ml | +|Lateral Movement | Behavior:Win32/LateralMovement.*!ml | +|Collection | Behavior:Win32/Collection.*!ml | +|Command and Control | Behavior:Win32/CommandAndControl.*!ml | +|Exfiltration | Behavior:Win32/Exfiltration.*!ml | +|Impact | Behavior:Win32/Impact.*!ml | +|Uncategorized | Behavior:Win32/Generic.*!ml | + +> [!TIP] +> To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**. + + +## Configuring client behavioral blocking + +If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: + +- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) + +- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) + +- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) + +- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) (antivirus) + +## Related articles + +- [Behavioral blocking and containment](behavioral-blocking-containment.md) + +- [Feedback-loop blocking](feedback-loop-blocking.md) + +- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) + +- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md index 2830d49f18..de0e22cee2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md @@ -77,7 +77,6 @@ Not currently available. ## Integrations Integrations with the following Microsoft products are not currently available: -- Azure Security Center - Azure Advanced Threat Protection - Azure Information Protection - Office 365 Advanced Threat Protection diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 0b7d271c77..70890b48ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,7 +1,7 @@ --- -title: Configure HP ArcSight to pull Microsoft Defender ATP detections -description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center -keywords: configure hp arcsight, security information and events management tools, arcsight +title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections +description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center +keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure HP ArcSight to pull Microsoft Defender ATP detections +# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections **Applies to:** @@ -28,14 +28,15 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections. +You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections. >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin -Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. + +Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -50,7 +51,7 @@ This section guides you in getting the necessary information to set and use the - WDATP-connector.properties - WDATP-connector.jsonparser.properties - You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization. + You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization. - Make sure you generate the following tokens and have them ready: - Access token @@ -58,7 +59,8 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. -## Install and configure HP ArcSight FlexConnector +## Install and configure Micro Focus ArcSight FlexConnector + The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). 1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

        You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. @@ -79,8 +81,9 @@ The following steps assume that you have completed all the required steps in [Be - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\ - NOTE: - You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. + > [!NOTE] + > + > You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. 4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**. @@ -114,30 +117,36 @@ The following steps assume that you have completed all the required steps in [Be -

        7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

        - If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.

        If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. +

        + +7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. -7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window. + If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. + + If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. -8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. +8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window. -9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. +9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. -10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. +10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. -11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. +11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. -12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. +12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. -13. Select **Install as a service** and click **Next**. +13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. -14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. +14. Select **Install as a service** and click **Next**. -15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. +15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. -16. Finish the installation by selecting **Exit** and **Next**. +16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. + +17. Finish the installation by selecting **Exit** and **Next**. + +## Install and configure the Micro Focus ArcSight console -## Install and configure the HP ArcSight console 1. Follow the installation wizard through the following tasks: - Introduction - License Agreement @@ -158,18 +167,19 @@ The following steps assume that you have completed all the required steps in [Be 7. Click **Done** to quit the installer. -8. Login to the HP ArcSight console. +8. Login to the Micro Focus ArcSight console. 9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**. 10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. -You can now run queries in the HP ArcSight console. +You can now run queries in the Micro Focus ArcSight console. Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. -## Troubleshooting HP ArcSight connection +## Troubleshooting Micro Focus ArcSight connection + **Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`. **Symptom:** You get the following error message: @@ -177,7 +187,9 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof `Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token` **Solution:** + 1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?". + 2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value: `reauthenticate=true`. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index 2cdb364929..50726aa946 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -1,6 +1,6 @@ --- title: Configure attack surface reduction -description: Configure attack surface reduction +description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Powershell cmdlets, and Group Policy to configure attack surface reduction. keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/01/2018 --- # Configure attack surface reduction @@ -27,13 +26,9 @@ You can configure attack surface reduction with a number of tools, including: * Group Policy * PowerShell cmdlets -The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools). - -## In this section - -Topic | Description +Article | Description -|- -[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements +[Enable hardware-based isolation for Microsoft Edge](../microsoft-defender-application-guard/install-md-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements [Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes [Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps [Network protection](./enable-network-protection.md)|How to prevent users from using any apps to access dangerous domains diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md new file mode 100644 index 0000000000..8286330112 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -0,0 +1,55 @@ +--- +title: Configure automated investigation and remediation capabilities +description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). +keywords: configure, setup, automated, investigation, detection, alerts, remediation, response +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection + +**Applies to** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). + +To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups). + +## Turn on automated investigation and remediation + +1. As a global administrator or security administrator, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, choose **Settings**. +3. In the **General** section, select **Advanced features**. +4. Turn on both **Automated Investigation** and **Automatically resolve alerts**. + +## Set up device groups + +1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**. +2. Select **+ Add machine group**. +3. Create at least one device group, as follows: + - Specify a name and description for the device group. + - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). + - In the **Members** section, use one or more conditions to identify and include devices. + - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating. +4. Select **Done** when you're finished setting up your device group. + +## Next steps + +- [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) + +- [Review and approve actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) + +- [Manage indicators for files, IP addresses, URLs, or domains](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 09cd520b12..c5d535a96e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -34,7 +34,7 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh ## Before you begin If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully. -For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune). +For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). ## Onboard machines using Microsoft Intune diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index dec845f1d0..34b72d6438 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -29,13 +29,15 @@ ms.topic: article Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. -You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. +You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. For more information, see: +- [Microsoft Defender ATP for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements) +- [Microsoft Defender ATP for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements). ## Onboarding non-Windows machines You'll need to take the following steps to onboard non-Windows machines: 1. Select your preferred method of onboarding: - - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac). + - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-atp-mac). - For other non-Windows devices choose **Onboard non-Windows machines through third-party integration**. 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 449dd5010c..b640c52453 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 04/24/2018 +ms.date: 04/16/2020 --- # Onboard non-persistent virtual desktop infrastructure (VDI) machines @@ -23,13 +23,21 @@ ms.date: 04/24/2018 **Applies to:** - Virtual desktop infrastructure (VDI) machines - +>[!WARNING] +> Micrsosoft Defender ATP currently does not support Windows Virtual Desktop multi-user session. >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) ## Onboard non-persistent virtual desktop infrastructure (VDI) machines -Microsoft Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: +Microsoft Defender ATP supports non-persistent VDI session onboarding. + +>[!Note] +>To onboard non-persistent VDI sessions, VDI machines must be on Windows 10. +> +>While other Windows versions might work, only Windows 10 is supported. + +There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: - Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning. - The machine name is typically reused for new sessions. @@ -80,26 +88,62 @@ The following steps will guide you through onboarding VDI machines and will high 6. Test your solution: - a. Create a pool with one machine. + a. Create a pool with one machine. - b. Logon to machine. + b. Logon to machine. - c. Logoff from machine. + c. Logoff from machine. - d. Logon to machine with another user. + d. Logon to machine with another user. - e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.
        + e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.
        **For multiple entries for each machine**: Check multiple entries in Microsoft Defender Security Center. 7. Click **Machines list** on the Navigation pane. 8. Use the search function by entering the machine name and select **Machine** as search type. +## Updating non-persistent virtual desktop infrastructure (VDI) images +As a best practice, we recommend using offline servicing tools to patch golden/master images.
        +For example, you can use the below commands to install an update while the image remains offline: + +``` +DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing" +DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu" +DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit +``` + +For more information on DISM commands and offline servicing, please refer to the articles below: +- [Modify a Windows image using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) +- [DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14) +- [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image) + +If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health: + +1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script). + +2. Ensure the sensor is stopped by running the command below in a CMD window: + + ``` + sc query sense + ``` + +3. Service the image as needed. + +4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot: + + ``` + PsExec.exe -s cmd.exe + cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber" + del *.* /f /s /q + exit + ``` + +5. Re-seal the golden/master image as you normally would. + ## Related topics - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) - - diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index 1f672b58a6..d3f378cce2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -52,6 +52,9 @@ From the **Onboarding** card, select **Onboard more machines** to create and ass >[!TIP] >Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**. +>[!NOTE] +> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**. + From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either: - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index a91141c30b..e7f8c3b23b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -33,12 +33,12 @@ Before you can deploy and track compliance to security baselines: - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions) ## Compare the Microsoft Defender ATP and the Windows Intune security baselines -The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: +The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: - [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows) - [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp) -Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. +Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released. >[!NOTE] >The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. @@ -100,4 +100,4 @@ Machine configuration management monitors baseline compliance only of Windows 10 ## Related topics - [Ensure your machines are configured properly](configure-machines.md) - [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) -- [Optimize ASR rule deployment and detections](configure-machines-asr.md) \ No newline at end of file +- [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 9698e75980..1ae1fc060d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -70,8 +70,9 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert ## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. ->[!NOTE] ->Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. +> [!NOTE] +> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. +> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request. @@ -130,4 +131,3 @@ It is crucial to respond in a timely manner to keep the investigation moving. ## Related topic - [Microsoft Threat Experts overview](microsoft-threat-experts.md) - diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 4654624800..c910870e7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -102,7 +102,8 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/ ## Enable access to Microsoft Defender ATP service URLs in the proxy server -If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443: +If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list. +If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning. > [!NOTE] > settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.
        @@ -110,13 +111,13 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec Service location | Microsoft.com DNS record -|- -Common URLs for all locations | ```crl.microsoft.com```
        ```ctldl.windowsupdate.com```
        ```events.data.microsoft.com```
        ```notify.windows.com```
        ```settings-win.data.microsoft.com``` +Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```
        ```ctldl.windowsupdate.com```
        ```www.microsoft.com/pkiops/*```
        ```events.data.microsoft.com```
        ```notify.windows.com```
        ```settings-win.data.microsoft.com``` European Union | ```eu.vortex-win.data.microsoft.com```
        ```eu-v20.events.data.microsoft.com```
        ```usseu1northprod.blob.core.windows.net```
        ```usseu1westprod.blob.core.windows.net```
        ```winatp-gw-neu.microsoft.com```
        ```winatp-gw-weu.microsoft.com```
        ```wseu1northprod.blob.core.windows.net```
        ```wseu1westprod.blob.core.windows.net```
        ```automatedirstrprdweu.blob.core.windows.net```
        ```automatedirstrprdneu.blob.core.windows.net``` United Kingdom | ```uk.vortex-win.data.microsoft.com```
        ```uk-v20.events.data.microsoft.com```
        ```ussuk1southprod.blob.core.windows.net```
        ```ussuk1westprod.blob.core.windows.net```
        ```winatp-gw-uks.microsoft.com```
        ```winatp-gw-ukw.microsoft.com```
        ```wsuk1southprod.blob.core.windows.net```
        ```wsuk1westprod.blob.core.windows.net```
        ```automatedirstrprduks.blob.core.windows.net```
        ```automatedirstrprdukw.blob.core.windows.net``` United States | ```us.vortex-win.data.microsoft.com```
        ```ussus1eastprod.blob.core.windows.net```
        ```ussus1westprod.blob.core.windows.net```
        ```ussus2eastprod.blob.core.windows.net```
        ```ussus2westprod.blob.core.windows.net```
        ```ussus3eastprod.blob.core.windows.net```
        ```ussus3westprod.blob.core.windows.net```
        ```ussus4eastprod.blob.core.windows.net```
        ```ussus4westprod.blob.core.windows.net```
        ```us-v20.events.data.microsoft.com```
        ```winatp-gw-cus.microsoft.com```
        ```winatp-gw-eus.microsoft.com```
        ```wsus1eastprod.blob.core.windows.net```
        ```wsus1westprod.blob.core.windows.net```
        ```wsus2eastprod.blob.core.windows.net```
        ```wsus2westprod.blob.core.windows.net```
        ```automatedirstrprdcus.blob.core.windows.net```
        ```automatedirstrprdeus.blob.core.windows.net``` > [!NOTE] -> If you are using Windows Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Windows Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus +> If you are using Microsoft Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Microsoft Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 371aa16ecd..c3acfa8df0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -13,7 +13,7 @@ ms.author: macapara ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article --- @@ -24,73 +24,69 @@ ms.topic: article - Windows Server 2008 R2 SP1 - Windows Server 2012 R2 - Windows Server 2016 -- Windows Server, version 1803 -- Windows Server, 2019 and later +- Windows Server (SAC) version 1803 and later +- Windows Server 2019 and later +- Windows Server 2019 core edition - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) -Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console. +Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. The service supports the onboarding of the following servers: -- Windows Server 2008 R2 SP1 +- Windows Server 2008 R2 SP1 - Windows Server 2012 R2 - Windows Server 2016 -- Windows Server, version 1803 +- Windows Server (SAC) version 1803 and later - Windows Server 2019 and later - +- Windows Server 2019 core edition For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). -> [!NOTE] -> An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services) -## Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 +## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP: -- **Option 1**: Onboard through Azure Security Center -- **Option 2**: Onboard through Microsoft Defender Security Center - -### Option 1: Onboard servers through Azure Security Center -1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. - -2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system. - -3. Click **Onboard Servers in Azure Security Center**. - -4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). - -### Option 2: Onboard servers through Microsoft Defender Security Center -You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. - -- For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: - - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598) - - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) - - -- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. +- **Option 1**: Onboard through Microsoft Defender Security Center +- **Option 2**: Onboard through Azure Security Center > [!NOTE] -> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. +> Microsoft defender ATP standalone server license is required, per node, in order to onboard the server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). -- Turn on server monitoring from Microsoft Defender Security Center. -- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). +### Option 1: Onboard servers through Microsoft Defender Security Center +You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. + + - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: + - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + + - In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: + - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598) + - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) + + - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. + + > [!NOTE] + > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. + + - Turn on server monitoring from Microsoft Defender Security Center. + + - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. + + Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). > [!TIP] > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). ### Configure and update System Center Endpoint Protection clients -> [!IMPORTANT] -> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. -Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. +Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting @@ -99,19 +95,19 @@ The following steps are required to enable this integration: 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. 2. Select Windows Server 2012 R2 and 2016 as the operating system. - -3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. + +3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. -### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server: - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
        On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). @@ -120,74 +116,85 @@ Once completed, you should see onboarded servers in the portal within an hour. ### Configure server proxy and Internet connectivity settings - + - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway. - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). -## Windows Server, version 1803 and Windows Server 2019 -To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below. + +### Option 2: Onboard servers through Azure Security Center +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + +2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system. + +3. Click **Onboard Servers in Azure Security Center**. + +4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). + + +## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition +To onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition, refer to the supported methods and versions below. > [!NOTE] > The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). Supported tools include: - Local script -- Group Policy +- Group Policy - Microsoft Endpoint Configuration Manager - System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 - VDI onboarding scripts for non-persistent machines For more information, see [Onboard Windows 10 machines](configure-endpoints.md). -Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. -1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). +1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). -2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: +2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly: - a. Set the following registry entry: + 1. Set the following registry entry: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: ForceDefenderPassiveMode - Value: 1 - b. Run the following PowerShell command to verify that the passive mode was configured: + 1. Run the following PowerShell command to verify that the passive mode was configured: - ```PowerShell - Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} - ``` + ```PowerShell + Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} + ``` - c. Confirm that a recent event containing the passive mode event is found: - - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + 1. Confirm that a recent event containing the passive mode event is found: -3. Run the following command to check if Windows Defender AV is installed: + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) - ```sc query Windefend``` +3. Run the following command to check if Microsoft Defender AV is installed: - If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + ```sc.exe query Windefend``` + + If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). ## Integration with Azure Security Center -Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. +Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: - Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). > [!NOTE] - > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016. - Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach > [!IMPORTANT] -> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. +> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. > - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. +> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. - -## Offboard servers -You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. +## Offboard servers +You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client machines. For other server versions, you have two options to offboard servers from the service: - Uninstall the MMA agent @@ -203,10 +210,10 @@ For more information, see [To disable an agent](https://docs.microsoft.com/azure ### Remove the Microsoft Defender ATP workspace configuration To offboard the server, you can use either of the following methods: -- Remove the Microsoft Defender ATP workspace configuration from the MMA agent +- Remove the Microsoft Defender ATP workspace configuration from the MMA agent - Run a PowerShell command to remove the configuration -#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent +#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent 1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. @@ -217,11 +224,12 @@ To offboard the server, you can use either of the following methods: #### Run a PowerShell command to remove the configuration 1. Get your Workspace ID: - a. In the navigation pane, select **Settings** > **Onboarding**. - b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: - - ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) + 1. In the navigation pane, select **Settings** > **Onboarding**. + + 1. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: + + ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index ad965c75e5..d5f2d69d6c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -27,31 +27,29 @@ ms.topic: article ## Pull detections using security information and events management (SIEM) tools ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>[!NOTE] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. -Microsoft Defender ATP currently supports the following SIEM tools: +Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: -- Splunk -- HP ArcSight +- IBM QRadar +- Micro Focus ArcSight + +Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. To use either of these supported SIEM tools you'll need to: - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) + - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) + - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md). -## Pull Microsoft Defender ATP detections using REST API -Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API. - -For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md). - diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md deleted file mode 100644 index 10c69301a9..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Configure Splunk to pull Microsoft Defender ATP detections -description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center. -keywords: configure splunk, security information and events management tools, splunk -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Configure Splunk to pull Microsoft Defender ATP detections - -**Applies to:** - - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) - -You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections. - ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. - -## Before you begin - -- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk. -- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - -- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values: - - Tenant ID - - Client ID - - Client Secret - - Resource URL - - -## Configure Splunk - -1. Login in to Splunk. - -2. Go to **Settings** > **Data inputs**. - -3. Select **Windows Defender ATP alerts** under **Local inputs**. - - NOTE: - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/). - -4. Click **New**. - -5. Type the following values in the required fields, then click **Save**: - - NOTE: - All other values in the form are optional and can be left blank. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        FieldValue
        NameName for the Data Input
        Login URLURL to authenticate the azure app (Default : https://login.microsoftonline.com)
        EndpointDepending on the location of your datacenter, select any of the following URL:

        For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com

        For US:https://wdatp-alertexporter-us.securitycenter.windows.com

        For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com -
        Tenant IDAzure Tenant ID
        ResourceValue from the SIEM integration feature page
        Client IDValue from the SIEM integration feature page
        Client SecretValue from the SIEM integration feature page
        - -After completing these configuration steps, you can go to the Splunk dashboard and run queries. - -## View detections using Splunk solution explorer -Use the solution explorer to view detections in Splunk. - -1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**. - -2. Select **New**. - -3. Enter the following details: - - Search: Enter a query, for example:
        - `sourcetype="wdatp:alerts" |spath|table*` - - App: Add-on for Windows Defender (TA_Windows-defender) - - Other values are optional and can be left with the default values. - -4. Click **Save**. The query is saved in the list of searches. - -5. Find the query you saved in the list and click **Run**. The results are displayed based on your query. - - ->[!TIP] -> To minimize Detection duplications, you can use the following query: ->```source="rest://wdatp:alerts" | spath | dedup _raw | table *``` - -## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) -- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index 20a35409f5..2d543f5b2d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -1,7 +1,7 @@ --- title: Connected applications in Microsoft Defender ATP ms.reviewer: -description: View connected partner applications to Microsoft Defender ATP +description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 9cb8182798..d33c9a2195 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -45,7 +45,7 @@ Controlled folder access is supported on Windows 10, version 1709 and later and ## Requirements -Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). +Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md). ## Review controlled folder access events in the Microsoft Defender ATP Security Center diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index b2fc09e758..fcfeb45219 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -79,7 +79,7 @@ Your custom detection rule can automatically take actions on files or machines t These actions are applied to machines in the `DeviceId` column of the query results: - **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network) - **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines) -- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine +- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the machine - **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine #### Actions on files diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index a1d4579881..a7c6223e18 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/13/2019 +ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- @@ -26,11 +26,16 @@ manager: dansimp > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture. +[Attack surface reduction rules](enable-attack-surface-reduction.md) help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture. Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. -Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. +You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders @@ -43,7 +48,7 @@ An exclusion applies to all rules that allow exclusions. You can specify an indi An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. -Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md). Rule description | GUID @@ -72,10 +77,13 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. 4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +> [!WARNING] +> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. + ### Use PowerShell to exclude files and folders 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 3216d16b87..858060526b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -43,7 +43,7 @@ You can add additional folders to be protected, but you cannot remove the defaul Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. -You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). You can use the Windows Security app or Group Policy to add and remove additional protected folders. @@ -63,7 +63,7 @@ You can use the Windows Security app or Group Policy to add and remove additiona 2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. 4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder. @@ -117,7 +117,7 @@ An allowed application or service only has write access to a controlled folder a 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. 4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 64a77031bf..30dd08b49c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -89,7 +89,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi > > Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. > -> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. +> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. > > > * **Example 2** @@ -100,8 +100,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi > > Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. > ->The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. ->CFG will be enabled for *miles.exe*. +> The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. > [!NOTE] > If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country. diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index d2df7a0c6e..9cc9cb48ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -1,6 +1,6 @@ --- -title: Update how long data is stored by MDATP -description: Update data retention settings for Microsoft Defender Advanced Threat Protection (MDATP) by selecting between 30 days to 180 days. +title: Verify data storage location and update data retention settings +description: Verify data storage location and update data retention settings for Microsoft Defender Advanced Threat Protection keywords: data, storage, settings, retention, update search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -15,9 +15,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/24/2018 --- -# Update data retention settings for Microsoft Defender ATP +# Verify data storage location and update data retention settings for Microsoft Defender ATP **Applies to:** @@ -25,10 +24,18 @@ ms.date: 04/24/2018 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink) -During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After onboarding, you might want to update the data retention settings. +During the onboarding process, a wizard takes you through the data storage and retention settings of Microsoft Defender ATP. + +After completing the onboarding, you can verify your selection in the data retention settings page. + +## Verify data storage location +During the [Set up phase](production-deployment.md), you would have selected the location to store your data. + +You can verify the data location by navigating to **Settings** > **Data retention**. + +## Update data retention settings 1. In the navigation pane, select **Settings** > **Data retention**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index f59264a083..2769a45bcd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -26,7 +26,7 @@ ms.topic: conceptual This section covers some of the most frequently asked questions regarding privacy and data handling for Microsoft Defender ATP. > [!NOTE] -> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. +> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. ## What data does Microsoft Defender ATP collect? @@ -46,15 +46,18 @@ Microsoft does not use your data for advertising. ## Data protection and encryption The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. - There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. -## Do I have the flexibility to select where to store my data? +## Data storage location -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States, or dedicated Azure Government data centers (soon to be in preview). Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. +Microsoft Defender ATP operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Microsoft Defender ATP uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. + +Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. + +Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. @@ -84,12 +87,10 @@ Your data will be kept and will be available to you while the license is under g ## Can Microsoft help us maintain regulatory compliance? -Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications. - -Microsoft Defender ATP for Government (soon to be in preview) is currently undergoing audit for achieving FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5. +Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications. By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. -For more information on the Microsoft Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/trustcenter/compliance/iso-iec-27001). +For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md index a8b1269d9c..5421596f11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Antivirus compatibility with Microsoft Defender ATP +title: Microsoft Defender Antivirus compatibility with Microsoft Defender ATP description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, windows defender atp search.product: eADQiWindows 10XVcnh @@ -18,7 +18,7 @@ ms.topic: conceptual ms.date: 04/24/2018 --- -# Windows Defender Antivirus compatibility with Microsoft Defender ATP +# Microsoft Defender Antivirus compatibility with Microsoft Defender ATP **Applies to:** @@ -30,17 +30,17 @@ ms.date: 04/24/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) -The Microsoft Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning. +The Microsoft Defender Advanced Threat Protection agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning. >[!IMPORTANT] ->Microsoft Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings. +>Microsoft Defender ATP does not adhere to the Microsoft Defender Antivirus Exclusions settings. -You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). -If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. +If an onboarded machine is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode. -Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. +Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. -The Windows Defender Antivirus interface will be disabled, and users on the machine will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options. +The Microsoft Defender Antivirus interface will be disabled, and users on the machine will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options. -For more information, see the [Windows Defender Antivirus and Microsoft Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +For more information, see the [Microsoft Defender Antivirus and Microsoft Defender ATP compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf index 551d7a42e8..0b904a9ae6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx index b2bba2884e..1973043e7e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md new file mode 100644 index 0000000000..af6a7cbb1e --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -0,0 +1,91 @@ +--- +title: Endpoint detection and response in block mode +description: Learn about endpoint detection and response in block mode +keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Endpoint detection and response (EDR) in block mode + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## What is EDR in block mode? + +When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. + +> [!NOTE] +> EDR in block mode is currently in preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. + +## What happens when something is detected? + +When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center). + +The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: + +:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="EDR in block mode detected something"::: + + +## Enable EDR in block mode + +> [!IMPORTANT] +> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. + +2. Choose **Settings** > **Advanced features**. + +3. Turn on **EDR in block mode**. + +> [!NOTE] +> EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode. + +## Requirements for EDR in block mode + +|Requirement |Details | +|---------|---------| +|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | +|Operating system |One of the following versions:
        - Windows 10 (all releases)
        - Windows Server 2016 or later | +|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
        - Microsoft 365 E5
        - Microsoft 365 E3 together with the Identity & Threat Protection offering

        See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | +|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.

        See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
        In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
        In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | + +> [!IMPORTANT] +> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features. + + +## Frequently asked questions + +### Will EDR in block mode have any impact on a user's antivirus protection? + +No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. + +### Why do I need to keep Microsoft Defender Antivirus up to date? + +Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. + +### Why do we need cloud protection on? + +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models. + +## Related articles + +[Behavioral blocking and containment](behavioral-blocking-containment.md) + +[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 655d13f73e..2506f2934b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -1,5 +1,5 @@ --- -title: Enable ASR rules individually to protect your organization +title: Enable attack surface reduction rules individually to protect your organization description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on search.product: eADQiWindows 10XVcnh @@ -12,30 +12,37 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/13/2019 +ms.date: 06/04/2020 ms.reviewer: manager: dansimp --- # Enable attack surface reduction rules -[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. +[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows: +- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Each ASR rule contains three settings: +Each ASR rule contains one of three settings: -* Not configured: Disable the ASR rule -* Block: Enable the ASR rule -* Audit: Evaluate how the ASR rule would impact your organization if enabled +- Not configured: Disable the ASR rule +- Block: Enable the ASR rule +- Audit: Evaluate how the ASR rule would impact your organization if enabled -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. +To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. + +> [!TIP] +> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). You can enable attack surface reduction rules by using any of these methods: -* [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) -* [Group Policy](#group-policy) -* [PowerShell](#powershell) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. @@ -43,20 +50,16 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. -> [!WARNING] -> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. -> -> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). +You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).) > [!IMPORTANT] -> File and folder exclusions do not apply to the following ASR rules: -> -> * Block process creations originating from PSExec and WMI commands -> * Block JavaScript or VBScript from launching downloaded executable content +> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. +> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). + You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. -ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). The following procedures for enabling ASR rules include instructions for how to exclude files and folders. @@ -66,9 +69,9 @@ The following procedures for enabling ASR rules include instructions for how to 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule. -3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: +3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows: - *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path* + `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path` 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. @@ -78,23 +81,23 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules). -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules` -Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 +`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1` The values to enable, disable, or enable in audit mode are: -* Disable = 0 -* Block (enable ASR rule) = 1 -* Audit = 2 +- Disable = 0 +- Block (enable ASR rule) = 1 +- Audit = 2 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. Example: -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions` -Value: c:\path|e:\path|c:\Whitelisted.exe +`Value: c:\path|e:\path|c:\Whitelisted.exe` > [!NOTE] > Be sure to enter OMA-URI values without spaces. @@ -102,11 +105,16 @@ Value: c:\path|e:\path|c:\Whitelisted.exe ## Microsoft Endpoint Configuration Manager 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -1. Click **Home** > **Create Exploit Guard Policy**. -1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. -1. Choose which rules will block or audit actions and click **Next**. -1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. + +2. Click **Home** > **Create Exploit Guard Policy**. + +3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. + +4. Choose which rules will block or audit actions and click **Next**. + +5. Review the settings and click **Next** to create the policy. + +6. After the policy is created, click **Close**. ## Group Policy @@ -117,24 +125,27 @@ Value: c:\path|e:\path|c:\Whitelisted.exe 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. -4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: +4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section. - * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - * Disable = 0 - * Block (enable ASR rule) = 1 - * Audit = 2 + - Disable = 0 + - Block (enable ASR rule) = 1 + - Audit = 2 - ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) + ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +> [!WARNING] +> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. + ## PowerShell ->[!WARNING] ->If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. +> [!WARNING] +> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. @@ -165,11 +176,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe > Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode > ``` - You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + You can also use the `Add-MpPreference` PowerShell verb to add new rules to the existing list. > [!WARNING] > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. - > You can obtain a list of rules and their current state by using `Get-MpPreference` + > You can obtain a list of rules and their current state by using `Get-MpPreference`. 3. To exclude files and folders from ASR rules, use the following cmdlet: @@ -182,9 +193,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. -## Related topics +## Related articles + +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) + +- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) + +- [Attack surface reduction FAQ](attack-surface-reduction.md) -* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) -* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) -* [Attack surface reduction FAQ](attack-surface-reduction.md) -* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index f78270d508..61cf625503 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -38,10 +38,10 @@ You can enable controlled folder access by using any of these methods: Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include: -* Windows Defender Antivirus **Configure local administrator merge behavior for lists** +* Microsoft Defender Antivirus **Configure local administrator merge behavior for lists** * System Center Endpoint Protection **Allow users to add exclusions and overrides** -For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). +For more information about disabling local list merging, see [Prevent or allow users to locally modify Microsoft Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). ## Windows Security app @@ -95,7 +95,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. 4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following: * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index db54d852de..298ace459d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -17,24 +17,56 @@ audience: ITPro manager: dansimp --- -# Enable network protection +# Turning on network protection **Applies to:** * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. +You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. + +## Check if network protection is enabled + +You can see if network protection has been enabled on a local device by using Registry editor. + +1. Select the **Start** button in the task bar and type **regedit** to open Registry editor +1. Choose **HKEY_LOCAL_MACHINE** from the side menu +1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** **Windows Defender** > **Policy Manager** +1. Select **EnableNetworkProtection** to see the current state of network protection on the device + + * 0, or **Off** + * 1, or **On** + * 2, or **Audit** mode + +## Enable network protection You can enable network protection by using any of these methods: +* [PowerShell](#powershell) * [Microsoft Intune](#intune) * [Mobile Device Management (MDM)](#mdm) * [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) * [Group Policy](#group-policy) -* [PowerShell](#powershell) -## Intune +### PowerShell + +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Set-MpPreference -EnableNetworkProtection Enabled + ``` + +You can enable the feature in audit mode using the following cmdlet: + +```PowerShell +Set-MpPreference -EnableNetworkProtection AuditMode +``` + +Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. + +### Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. 1. Click **Device configuration** > **Profiles** > **Create profile**. @@ -45,7 +77,7 @@ You can enable network protection by using any of these methods: 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. -## MDM +### MDM Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. @@ -58,19 +90,19 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d 1. Review the settings and click **Next** to create the policy. 1. After the policy is created, click **Close**. -## Group Policy +### Group Policy You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. 1. On a standalone computer, click **Start**, type and then click **Edit group policy**. - -Or- + *-Or-* On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following: * **Block** - Users will not be able to access malicious IP addresses and domains @@ -89,23 +121,6 @@ You can confirm network protection is enabled on a local computer by using Regis * 1=On * 2=Audit -## PowerShell - -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** -2. Enter the following cmdlet: - - ```PowerShell - Set-MpPreference -EnableNetworkProtection Enabled - ``` - -You can enable the feature in audit mode using the following cmdlet: - -```PowerShell -Set-MpPreference -EnableNetworkProtection AuditMode -``` - -Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. - ## Related topics * [Network protection](network-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index a003bd5a09..382f789aa7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -27,9 +27,10 @@ ms.topic: article Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>[!NOTE] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Prerequisites - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. @@ -67,13 +68,14 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. +6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts. + You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center. ## Integrate Microsoft Defender ATP with IBM QRadar You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Microsoft Defender ATP Detection fields](api-portal-mapping.md) - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md index d548e9bede..bbcbd77dcc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md @@ -34,14 +34,14 @@ These capabilities help prevent attacks and exploitations from infecting your or - [Evaluate exploit protection](./evaluate-exploit-protection.md) - [Evaluate network protection](./evaluate-exploit-protection.md) - [Evaluate controlled folder access](./evaluate-controlled-folder-access.md) -- [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md) +- [Evaluate application guard](../microsoft-defender-application-guard/test-scenarios-md-app-guard.md) - [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) ## Evaluate next generation protection Next gen protections help detect and block the latest threats. -- [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) +- [Evaluate antivirus](../microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md) ## See Also diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 70a03c74e5..a77a399d92 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 04/02/2019 +ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- @@ -23,7 +23,11 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. +Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index da28a46770..1d9da1a791 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -58,6 +58,9 @@ Event ID | Description 1124 | Audited controlled folder access event 1123 | Blocked controlled folder access event +> [!TIP] +> You can configure a [Windows Event Forwarding subscription](https://docs.microsoft.com/windows/win32/wec/setting-up-a-source-initiated-subscription) to collect the logs centrally. + ## Customize protected folders and apps During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 702d9e6c4e..4685d38d83 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -23,36 +23,47 @@ ms.topic: article Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. -The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. +The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. -When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs. - -After the lab setup process is complete, you can add Windows 10 or Windows Server 2019 machines. These test machines come pre-configured to have the latest and greatest OS versions with the right security components in place and Office 2019 Standard installed. +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM] With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Microsoft Defender ATP performs. -You'll have full access to all the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers. +You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers. + +You can add Windows 10 or Windows Server 2019 machines that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed. + +You can also install threat simulators. Microsoft Defender ATP has partnered with industry leading threat simulation platforms to help you test out the Microsoft Defender ATP capabilities without having to leave the portal. + + Install your preferred simulator, run scenarios within the evaluation lab, and instantly see how the platform performs - all conveniently available at no extra cost to you. You'll also have convenient access to wide array of simulations which you can access and run from the simulations catalog. + ## Before you begin You'll need to fulfill the [licensing requirements](minimum-requirements.md#licensing-requirements) or have trial access to Microsoft Defender ATP to access the evaluation lab. +You must have **Manage security settings** permissions to: +- Create the lab +- Create machines +- Reset password +- Create simulations + +For more information, see [Create and manage roles](user-roles.md). + Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink) + ## Get started with the lab You can access the lab from the menu. In the navigation menu, select **Evaluation and tutorials > Evaluation lab**. ![Image of the evaluation lab on the menu](images/evaluation-lab-menu.png) -When you access the evaluation lab for the first time, you'll find an introduction page with a link to the evaluation guide. The guide contains tips and recommendations to keep in mind when evaluating an advanced threat protection product. - -It's a good idea to read the guide before starting the evaluation process so that you can conduct a thorough assessment of the platform. - >[!NOTE] >- Each environment is provisioned with a limited set of test machines. >- Depending the type of environment structure you select, machines will be available for the specified number of hours from the day of activation. >- When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the available test machine count. >- Given the limited resources, it’s advisable to use the machines carefully. +Already have a lab? Make sure to enable the new threat simulators and have active machines. ## Setup the evaluation lab @@ -60,32 +71,52 @@ It's a good idea to read the guide before starting the evaluation process so tha ![Image of the evaluation lab welcome page](images/evaluation-lab-setup.png) -2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Create lab**. +2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Next**. - ![Image of lab configuration options](images/lab-creation-page.png) + ![Image of lab configuration options](images/lab-creation-page.png) + + +3. (Optional) You can choose to install threat simulators in the lab. + + ![Image of install simulators agent](images/install-agent.png) + + >[!IMPORTANT] + >You'll first need to accept and provide consent to the terms and information sharing statements. + +4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the machines you add. + + ![Image of summary page](images/lab-setup-summary.png) + +5. Review the summary and select **Setup lab**. + +After the lab setup process is complete, you can add machines and run simulations. -When the environment completes the setup process, you're ready to add machines. ## Add machines When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. You can add Windows 10 or Windows Server 2019 machines. The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals. + >[!TIP] + > Need more machines in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team. + +If you chose to add a threat simulator during the lab setup, all machines will have the threat simulator agent installed in the machines that you add. + The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. The following security components are pre-configured in the test machines: - [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) -- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) +- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) - [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) - [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection) - [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) -- [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) -- [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) +- [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) +- [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus) - [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview) >[!NOTE] -> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +> Microsoft Defender Antivirus will be on (not in audit). If Microsoft Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md). @@ -94,9 +125,6 @@ Automated investigation settings will be dependent on tenant settings. It will b 1. From the dashboard, select **Add machine**. - ![Image of lab setup page](images/lab-setup-page.png) - - 2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019. ![Image of lab setup with machine options](images/add-machine-options.png) @@ -114,20 +142,31 @@ Automated investigation settings will be dependent on tenant settings. It will b 4. Machine set up begins. This can take up to approximately 30 minutes. -The environment will reflect your test machine status through the evaluation - including risk score, exposure score, and alerts created through the simulation. +5. See the status of test machines, the risk and exposure levels, and the status of simulator installations by selecting the **Machines** tab. + + ![Image of machines tab](images/machines-tab.png) + + + >[!TIP] + >In the **Simulator status** column, you can hover over the information icon to know the installation status of an agent. -![Image of test machines](images/eval-lab-dashboard.png) ## Simulate attack scenarios -Use the test machines to run attack simulations by connecting to them. +Use the test machines to run your own attack simulations by connecting to them. -If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience. +You can simulate attack scenarios using: +- The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials) +- Threat simulators You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. -> [!NOTE] -> The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. +### Do-it-yourself attack scenarios +If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience. + + +>[!NOTE] +>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. 1. Connect to your machine and run an attack simulation by selecting **Connect**. @@ -146,20 +185,70 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query ![Image of window to enter credentials](images/enter-password.png) -4. Run simulations on the machine. +4. Run Do-it-yourself attack simulations on the machine. + + +### Threat simulator scenarios +If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab machines. + + +Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender ATP capabilities within the confines of a lab environment. + +>[!NOTE] +>Before you can run simulations, ensure the following requirements are met: +>- Machines must be added to the evaluation lab +>- Threat simulators must be installed in the evaluation lab + +1. From the portal select **Create simulation**. + +2. Select a threat simulator. + + ![Image of threat simulator selection](images/select-simulator.png) + +3. Choose a simulation or look through the simulation gallery to browse through the available simulations. + + You can get to the simulation gallery from: + - The main evaluation dashboard in the **Simulations overview** tile or + - By navigating from the navigation pane **Evaluation and tutorials** > **Simulation & tutorials**, then select **Simulations catalog**. + +4. Select the devices where you'd like to run the simulation on. + +5. Select **Create simulation**. + +6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details. + + ![Image of simulations tab](images/simulations-tab.png) + +After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if the attack simulations you ran triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature. -After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature. Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics. -## Simulation results -Get a full overview of the simulation results, all in one place, allowing you to drill down to the relevant pages with every detail you need. +## Simulation gallery +Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. -View the machine details page by selecting the machine from the table. You'll be able to drill down on relevant alerts and investigations by exploring the rich context provided on the attack simulation. +View all the available simulations by going to **Simulations and tutorials** > **Simulations catalog** from the menu. -### Evaluation report + +A list of supported third-party threat simulation agents are listed, and specific types of simulations along with detailed descriptions are provided on the catalog. + +You can conveniently run any available simulation right from the catalog. + + +![Image of simulations catalog](images/simulations-catalog.png) + +Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run. + +**Examples:** +![Image of simulation description details](images/simulation-details-aiq.png) + + +![Image of simulation description details](images/simulation-details-sb.png) + + +## Evaluation report The lab reports summarize the results of the simulations conducted on the machines. ![Image of the evaluation report](images/eval-report.png) @@ -172,6 +261,7 @@ At a glance, you'll quickly be able to see: - Detection sources - Automated investigations + ## Provide feedback Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience and impressions from product capabilities and evaluation results. diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index 2fe02c746b..aa9e94343c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -157,7 +157,7 @@ The service could not contact the external processing servers at that URL. 17 Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable. An error occurred with the Windows telemetry service. -Ensure the diagnostic data service is enabled.
        +Ensure the diagnostic data service is enabled.
        Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
        See Onboard Windows 10 machines. @@ -198,8 +198,8 @@ See Onboard Windows 10 machines.
        Ensure real-time antimalware protection is running properly. @@ -208,7 +208,7 @@ Ensure real-time antimalware protection is running properly. 28 Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: variable. An error occurred with the Windows telemetry service. -Ensure the diagnostic data service is enabled.
        +Ensure the diagnostic data service is enabled.
        Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
        See Onboard Windows 10 machines. @@ -220,8 +220,8 @@ See Onboard Windows 10 machines
        Ensure real-time antimalware protection is running properly. @@ -249,7 +249,7 @@ If the identifier does not persist, the same machine might appear twice in the p 34 Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: variable. An error occurred with the Windows telemetry service. -Ensure the diagnostic data service is enabled.
        +Ensure the diagnostic data service is enabled.
        Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
        See Onboard Windows 10 machines. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index cb90cee7fe..4b26c6d836 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -1,7 +1,7 @@ --- title: OData queries with Microsoft Defender ATP ms.reviewer: -description: OData queries with Microsoft Defender ATP +description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP keywords: apis, supported apis, odata, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -35,7 +35,7 @@ Not all properties are filterable. ### Example 1 -- Get all the machines with the tag 'ExampleTag' +Get all the machines with the tag 'ExampleTag' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') @@ -76,7 +76,7 @@ Content-type: application/json ### Example 2 -- Get all the alerts that created after 2018-10-20 00:00:00 +Get all the alerts that created after 2018-10-20 00:00:00 ``` HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z @@ -126,7 +126,7 @@ Content-type: application/json ### Example 3 -- Get all the machines with 'High' 'RiskScore' +Get all the machines with 'High' 'RiskScore' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High' @@ -167,7 +167,7 @@ Content-type: application/json ### Example 4 -- Get top 100 machines with 'HealthStatus' not equals to 'Active' +Get top 100 machines with 'HealthStatus' not equals to 'Active' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 @@ -208,7 +208,7 @@ Content-type: application/json ### Example 5 -- Get all the machines that last seen after 2018-10-20 +Get all the machines that last seen after 2018-10-20 ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z @@ -249,7 +249,7 @@ Content-type: application/json ### Example 6 -- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP +Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP ``` HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' @@ -283,7 +283,7 @@ Content-type: application/json ### Example 7 -- Get the count of open alerts for a specific machine: +Get the count of open alerts for a specific machine: ``` HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved' diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md new file mode 100644 index 0000000000..7f62a2a426 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md @@ -0,0 +1,58 @@ +--- +title: Feedback-loop blocking +description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender ATP +keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender ATP +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Feedback-loop blocking + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview + +Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks. + +## How feedback-loop blocking works + +When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem. + +With rapid protection in place, an attack can be stopped on a device, other devices in the organization, and devices in other organizations, as an attack attempts to broaden its foothold. + + +## Configuring feedback-loop blocking + +If your organization is using Microsoft Defender ATP, feedback-loop blocking is enabled by default. However, rapid protection occurs through a combination of Microsoft Defender ATP capabilities, machine learning protection features, and signal-sharing across Microsoft security services. Make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: + +- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) + +- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) + +- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) + +- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) (antivirus) + +## Related articles + +- [Behavioral blocking and containment](behavioral-blocking-containment.md) + +- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) + +- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md index d34f5a6332..5c7423def3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md @@ -82,8 +82,8 @@ Follow theses actions to correct known issues related to a misconfigured machine - [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)
        If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. -- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
        -If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. +- [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
        +If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index bfafa218ea..6546ddbb9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -1,6 +1,6 @@ --- title: Get alert related domains information -description: Retrieves all domains related to a specific alert. +description: Retrieve all domains related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related domain search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 89838eb90d..eb293e3f1c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -1,6 +1,6 @@ --- title: Get alert related files information -description: Retrieves all files related to a specific alert. +description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related files search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -97,7 +97,7 @@ Content-type: application/json "fileType": null, "isPeFile": true, "filePublisher": "Microsoft Corporation", - "fileProductName": "Microsoft Windows Operating System", + "fileProductName": "Microsoft� Windows� Operating System", "signer": "Microsoft Corporation", "issuer": "Microsoft Code Signing PCA", "signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index f012975e19..76f0026262 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -1,6 +1,6 @@ --- title: Get alert related IPs information -description: Retrieves all IPs related to a specific alert. +description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related ip search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index be84e2c9ca..b9deda47b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -1,6 +1,6 @@ --- title: Get alert related machine information -description: Retrieves all machines related to a specific alert. +description: Retrieve all machines related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related machine search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 33337c0f38..f150156c0e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -26,7 +26,7 @@ ms.topic: article ## API description Retrieves a collection of Alerts.
        Supports [OData V4 queries](https://www.odata.org/documentation/). -
        The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```incidentId```, ```InvestigationId```, ```status```, ```severity``` and ```category``` properties. +
        The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
        See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index c0088b91f6..3313e63989 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -1,6 +1,6 @@ --- title: Get IP related alerts API -description: Retrieves a collection of alerts related to a given IP address. +description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, related, alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 9bc08c2680..5d0c64e02c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -1,6 +1,6 @@ --- title: Get IP statistics API -description: Retrieves the prevalence for the given IP. +description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, statistics, prevalence search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index 55e74662e6..f922b6a35e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -1,6 +1,6 @@ --- title: Get KB collection API -description: Retrieves a collection of KB's. +description: Retrieve a collection of knowledge bases (KB's) and KB details with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, kb search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index 59e1357d2e..6c8f358205 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -1,6 +1,6 @@ --- title: Get machine log on users API -description: Retrieves a collection of logged on users. +description: Retrieve a collection of logged on users on a specific machine using Microsoft Defender ATP APIs. keywords: apis, graph api, supported apis, get, machine, log on, users search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -73,7 +73,7 @@ Here is an example of the request. [!include[Improve request performance](../../includes/improve-request-performance.md)] ``` -GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index c9883c2e4a..08f5fff7d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -1,6 +1,6 @@ --- title: List machineActions API -description: Use this API to create calls related to get machineactions collection +description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection. keywords: apis, graph api, supported apis, machineaction collection search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index f5630c46c0..4fa6891d4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -1,6 +1,6 @@ --- title: Get machines security states collection API -description: Retrieves a collection of machines security states. +description: Retrieve a collection of machine security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP. keywords: apis, graph api, supported apis, get, machine, security, state search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md index 066146d158..04eec16b78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -46,6 +46,14 @@ To have your company listed as a partner in the in-product partner page, you wil 3. Provide a 15-word product description. 4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed. 5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application. +6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). + Follow these steps: + 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration. + - ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}` + - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}` + + 2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature. + For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 0eaec5311d..b2e2bce19f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -1,6 +1,6 @@ --- title: Get user related alerts API -description: Retrieves a collection of alerts related to a given user ID. +description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, user, related, alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png index 7635b49f3e..50aaff6186 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png and b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png b/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png new file mode 100644 index 0000000000..3baa36a30e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png b/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png new file mode 100644 index 0000000000..0ecdbe5a2d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png new file mode 100644 index 0000000000..eb5819123e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png new file mode 100644 index 0000000000..f02cd3b7c4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png new file mode 100644 index 0000000000..cc46690248 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png new file mode 100644 index 0000000000..e9cb104a05 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png new file mode 100644 index 0000000000..6712c06845 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg rename to windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png index fda12c1b95..2977a16c2d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png and b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png b/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png new file mode 100644 index 0000000000..c477df78f0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png index 5f76ba9386..316e3e0700 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png new file mode 100644 index 0000000000..68c1dcf142 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png new file mode 100644 index 0000000000..4275f94ded Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png new file mode 100644 index 0000000000..94df3bad5b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png index 6d49c8b659..6118910639 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png new file mode 100644 index 0000000000..add1b5bd15 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png index 39b714cdd4..9a84e73ad0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png new file mode 100644 index 0000000000..a08711f23f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png new file mode 100644 index 0000000000..1e1e039268 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png new file mode 100644 index 0000000000..a03e0732c7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png new file mode 100644 index 0000000000..5d1d428e9c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png new file mode 100644 index 0000000000..ba0576849e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png new file mode 100644 index 0000000000..4854fa9f2f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png new file mode 100644 index 0000000000..3f1eb5d2b1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png new file mode 100644 index 0000000000..9a4fbebf8a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png new file mode 100644 index 0000000000..7928a984a4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png new file mode 100644 index 0000000000..1c81f3d4f0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png new file mode 100644 index 0000000000..86de17e266 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png new file mode 100644 index 0000000000..eb8b56ee9b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png new file mode 100644 index 0000000000..6754cafb4a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png new file mode 100644 index 0000000000..da1c678a78 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png new file mode 100644 index 0000000000..b1c10100a8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png new file mode 100644 index 0000000000..4e584cf8ff Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png new file mode 100644 index 0000000000..409a17bd31 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png new file mode 100644 index 0000000000..eff967231f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png new file mode 100644 index 0000000000..633bdd07fc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png new file mode 100644 index 0000000000..4fa5bcefbd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png new file mode 100644 index 0000000000..57475dbc33 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png new file mode 100644 index 0000000000..8049e9ff17 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png new file mode 100644 index 0000000000..b66bf94eed Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png new file mode 100644 index 0000000000..ac9b6fdbe0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png new file mode 100644 index 0000000000..34013530b7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png new file mode 100644 index 0000000000..ec02855c2e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png new file mode 100644 index 0000000000..3ca2697396 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png new file mode 100644 index 0000000000..bae2cefcb1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png new file mode 100644 index 0000000000..6b88d7c627 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png new file mode 100644 index 0000000000..7d6da4c656 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png new file mode 100644 index 0000000000..73d85b26ad Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png new file mode 100644 index 0000000000..9106d38d7e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png new file mode 100644 index 0000000000..cea5e255f5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png index 570609f803..67f0679c18 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png and b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png deleted file mode 100644 index 78d20dc4ee..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png index 4b1576ec23..bcfd6506d9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png b/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png new file mode 100644 index 0000000000..e98bc4b89e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png index 8b37ac8a3a..f7d6472ba7 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png index 94c724f0c8..ef062f0c8e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png new file mode 100644 index 0000000000..9eeb6d31cd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png new file mode 100644 index 0000000000..706bd97b0c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png new file mode 100644 index 0000000000..4e84bc76f1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png new file mode 100644 index 0000000000..437ee70e30 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg rename to windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png new file mode 100644 index 0000000000..c7c9c0b861 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png new file mode 100644 index 0000000000..48af27eb1f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png new file mode 100644 index 0000000000..a066310eae Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png new file mode 100644 index 0000000000..5a7ce86cbd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png new file mode 100644 index 0000000000..d8b73ba265 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png deleted file mode 100644 index cf9f274980..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png deleted file mode 100644 index 9af2ad6945..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index 174242a934..95806be4e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -21,11 +21,11 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection. You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings. @@ -33,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration. -The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic. +The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic. ## Create and export a configuration file @@ -53,27 +53,28 @@ When you have configured exploit protection to your desired state (including bot 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved. -> [!IMPORTANT] -> If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file. + > [!IMPORTANT] + > If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file. -![Highlight of the Export Settings option](../images/wdsc-exp-prot-export.png) + ![Highlight of the Export Settings option](../images/wdsc-exp-prot-export.png) -> [!NOTE] -> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings. + > [!NOTE] + > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections—either section will export all settings. ### Use PowerShell to export a configuration file -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: ```PowerShell Get-ProcessMitigation -RegistryConfigFilePath filename.xml ``` -Change `filename` to any name or location of your choosing. + Change `filename` to any name or location of your choosing. -Example command -**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml** + Example command: + + **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml** > [!IMPORTANT] > When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. @@ -86,17 +87,18 @@ After importing, the settings will be instantly applied and can be reviewed in t ### Use PowerShell to import a configuration file -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: ```PowerShell Set-ProcessMitigation -PolicyFilePath filename.xml ``` -Change `filename` to the location and name of the exploit protection XML file. + Change `filename` to the location and name of the exploit protection XML file. -Example command -**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml** + Example command: + + **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml** > [!IMPORTANT] > @@ -116,14 +118,14 @@ You can only do this conversion in PowerShell. > > You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: ```PowerShell ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml ``` -Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use. + Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use. > [!IMPORTANT] > @@ -141,7 +143,7 @@ You can use Group Policy to deploy the configuration you've created to multiple ### Use Group Policy to distribute the configuration -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -151,14 +153,14 @@ You can use Group Policy to deploy the configuration you've created to multiple 4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**. -5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples: +5. In the **Options::** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples: * C:\MitigationSettings\Config.XML * \\\Server\Share\Config.xml * https://localhost:8080/Config.xml * C:\ExploitConfigfile.xml -6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). +6. Click **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md deleted file mode 100644 index eb0adb5890..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -title: Configure information protection in Windows -ms.reviewer: -description: Learn how to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. -keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Configure information protection in Windows - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](../../includes/prerelease.md)] - -Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. - ->[!TIP] -> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). - -If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured, WIP will be enabled for that file. - - - -## Prerequisites -- Endpoints need to be on Windows 10, version 1809 or later -- You need the appropriate license to use the Microsoft Defender ATP and Azure Information Protection integration -- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information, see [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports) - - -## Configure endpoint data loss prevention -Complete the following steps so that Microsoft Defender ATP can automatically identify labeled documents stored on the device and enable WIP on them. - ->[!NOTE] ->- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy. ->- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data. - -1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. -2. Define which labels need to get WIP protection in Office 365 Security and Compliance. - - 1. Go to: **Classifications > Labels**. - 2. Create a label or edit an existing one. - 3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP. - - ![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png) - - 4. Repeat for every label that you want to get WIP applied to in Windows. - - - - -## Configure auto labeling - -Windows automatically detects when an Office file, CSV, or TXT files are being created on a device and inspects it based on context to identify sensitive information types. - -Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled. The file is protected with Endpoint data loss prevention. - ->[!NOTE] -> Auto-labeling requires Windows 10, version 1903. - - -1. In Office 365 Security & Compliance, go to **Classifications > Labels**. - -2. Create a new label or edit an existing one. - - -3. Set a policy for Data classification: - - 1. Go through the label creation wizard. - 2. When you reach the Auto labeling page, turn on auto labeling toggle on. - 3. Add a new auto-labeling rule with the conditions that you require. - - ![Image of auto labeling in Office 365 Security and Compliance center](images/auto-labeling.png) - - 4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label". - - - - - - -## Related topic -- [Information protection in Windows overview](information-protection-in-windows-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index 800351a160..0c80426a9f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -2,7 +2,7 @@ title: Information protection in Windows overview ms.reviewer: description: Learn about how information protection works in Windows to identify and protect sensitive information -keywords: information, protection, dlp, wip, data, loss, prevention, protect +keywords: information, protection, dlp, data, loss, prevention, protect search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -27,7 +27,6 @@ ms.topic: conceptual Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. -Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. >[!TIP] > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). @@ -36,7 +35,7 @@ Microsoft Defender ATP applies the following methods to discover, classify, and - **Data discovery** - Identify sensitive data on Windows devices at risk - **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn’t manually classified it. -- **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label + ## Data discovery and data classification @@ -95,37 +94,5 @@ InformationProtectionLogs_CL - Enable Azure Information Protection integration in Microsoft Defender Security Center: - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**. -## Data protection -### Endpoint data loss prevention -For data to be protected, they must first be identified through labels. - -Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them. - -When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention. - -For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices). - -![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) - -Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. - -This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. - -For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). - -## Auto labeling - -Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance Center. Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types. - -Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention. - -> [!NOTE] -> Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves. - -For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). - -## Related topics - -- [How Windows Information Protection protects files with a sensitivity label](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index 47494dd290..ba6d70f4b3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -61,7 +61,7 @@ For more information on these actions, see [Take response action on a file](resp The file details, incident, malware detection, and file prevalence cards display various attributes about the file. -You'll see details such as the file’s MD5, the Virus Total detection ratio, and Windows Defender AV detection if available, and the file’s prevalence, both worldwide and within your organizations. +You'll see details such as the file’s MD5, the Virus Total detection ratio, and Microsoft Defender AV detection if available, and the file’s prevalence, both worldwide and within your organizations. ![Image of file information](images/atp-file-information.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md index 088b47a20c..5d04bf7089 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -41,10 +41,17 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f Exclusion | Definition | Examples ---|---|--- -File extension | All files with the extension, anywhere on the machine | .test -File | A specific file identified by the full path | /var/log/test.log -Folder | All files under the specified folder | /var/log/ -Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat
        cat +File extension | All files with the extension, anywhere on the machine | `.test` +File | A specific file identified by the full path | `/var/log/test.log`
        `/var/log/*.log`
        `/var/log/install.?.log` +Folder | All files under the specified folder | `/var/log/`
        `/var/*/` +Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
        `cat`
        `c?t` + +File, folder, and process exclusions support the following wildcards: + +Wildcard | Description | Example | Matches | Does not match +---|---|---|---|--- +\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/\*/\*.log` | `/var/log/system.log` | `/var/log/nested/system.log` +? | Matches any single character | `file?.log` | `file1.log`
        `file2.log` | `file123.log` ## How to configure the list of exclusions diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 1ea46c138a..31656eeae6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -43,6 +43,9 @@ The choice of the channel determines the type and frequency of updates that are In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. +> [!WARNING] +> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + ### RHEL and variants (CentOS and Oracle Linux) - Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. @@ -176,18 +179,59 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ yum repolist + ... + packages-microsoft-com-prod packages-microsoft-com-prod 316 + packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2 + ... + + # install the package from the production repository + $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp + ``` + - SLES and variants: ```bash sudo zypper install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ zypper repos + ... + # | Alias | Name | ... + XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ... + XX | packages-microsoft-com-prod | microsoft-prod | ... + ... + + # install the package from the production repository + $ sudo zypper install packages-microsoft-com-prod:mdatp + ``` + - Ubuntu and Debian system: ```bash sudo apt-get install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ cat /etc/apt/sources.list.d/* + deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main + deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main + + # install the package from the production repository + $ sudo apt -t bionic install mdatp + ``` + ## Download the onboarding package Download the onboarding package from Microsoft Defender Security Center: @@ -203,17 +247,23 @@ Download the onboarding package from Microsoft Defender Security Center: ```bash ls -l - total 8 - -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip + ``` + `total 8` + `-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip` + + ```bash unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py + inflating: MicrosoftDefenderATPOnboardingLinuxServer.py ``` + `Archive: WindowsDefenderATPOnboardingPackage.zip` + `inflating: WindowsDefenderATPOnboarding.py` + ## Client configuration -1. Copy WindowsDefenderATPOnboarding.py to the target machine. +1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target machine. Initially the client machine is not associated with an organization. Note that the *orgId* attribute is blank: @@ -221,28 +271,27 @@ Download the onboarding package from Microsoft Defender Security Center: mdatp --health orgId ``` -2. Run WindowsDefenderATPOnboarding.py, and note that, in order to run this command, you must have `python` installed on the device: +2. Run MicrosoftDefenderATPOnboardingLinuxServer.py, and note that, in order to run this command, you must have `python` installed on the device: ```bash - python WindowsDefenderATPOnboarding.py + python MicrosoftDefenderATPOnboardingLinuxServer.py ``` 3. Verify that the machine is now associated with your organization and reports a valid organization identifier: ```bash mdatp --health orgId - [your organization identifier] ``` 4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected: ```bash mdatp --health healthy - 1 ``` > [!IMPORTANT] - > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`. + > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
        + > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration). 5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine: @@ -250,7 +299,6 @@ Download the onboarding package from Microsoft Defender Security Center: ```bash mdatp --health realTimeProtectionEnabled - 1 ``` - Open a Terminal window. Copy and execute the following command: @@ -269,6 +317,10 @@ Download the onboarding package from Microsoft Defender Security Center: See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +## Operating system upgrades + +When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. + ## Uninstallation -See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. +See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 373d409cfd..34b6be737e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -139,6 +139,9 @@ Create subtask or role files that contribute to an actual task. First create the In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. + > [!WARNING] + > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the following commands, replace *[distro]* and *[version]* with the information you've identified. @@ -252,6 +255,10 @@ Now run the tasks files under `/etc/ansible/playbooks/`. See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +## Operating system upgrades + +When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. + ## References - [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 89133920ec..3914bf58e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -1,6 +1,6 @@ --- title: Deploy Microsoft Defender ATP for Linux with Puppet -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -48,7 +48,7 @@ Download the onboarding package from Microsoft Defender Security Center: ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - + ```bash $ ls -l total 8 @@ -60,7 +60,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create a Puppet manifest -You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* module available from puppetlabs, and assumes that the apt module has been installed on your Puppet server. +You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server. Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions: @@ -84,46 +84,74 @@ The choice of the channel determines the type and frequency of updates that are In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. +> [!WARNING] +> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the below commands, replace *[distro]* and *[version]* with the information you've identified: > [!NOTE] -> In case of Oracle Linux, replace *[distro]* with “rhel”. +> In case of RedHat, Oracle EL, and CentOS 8, replace *[distro]* with 'rhel'. ```puppet -class install_mdatp { +# Puppet manifest to install Microsoft Defender ATP. +# @param channel The release channel based on your environment, insider-fast or prod. +# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'. +# @param version The Linux distribution release number, e.g. 7.4. - if ($osfamily == 'Debian') { - apt::source { 'microsoftpackages' : - location => 'https://packages.microsoft.com/[distro]/[version]/prod', # change the version and distro based on your OS - release => '[channel]', - repos => 'main', - key => { - 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', - 'server' => 'https://packages.microsoft.com/keys/microsoft.asc', - }, +class install_mdatp ( +$channel = 'insiders-fast', +$distro = undef, +$version = undef +){ + case $::osfamily { + 'Debian' : { + apt::source { 'microsoftpackages' : + location => "https://packages.microsoft.com/${distro}/${version}/prod", + release => $channel, + repos => 'main', + key => { + 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', + 'server' => 'keyserver.ubuntu.com', + }, + } } - } - else { - yumrepo { 'microsoftpackages' : - baseurl => 'https://packages.microsoft.com/[distro]/[version]/[channel]', # change the version and distro based on your OS - enabled => 1, - gpgcheck => 1, - gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + 'RedHat' : { + yumrepo { 'microsoftpackages' : + baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}", + descr => "packages-microsoft-com-prod-${channel}", + enabled => 1, + gpgcheck => 1, + gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + } } + default : { fail("${::osfamily} is currently not supported.") } } - package { 'mdatp': - ensure => 'installed', - } + case $::osfamily { + /(Debian|RedHat)/: { + file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: + ensure => directory, + owner => root, + group => root, + mode => '0755' + } - file { ['/etc', '/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: - ensure => directory, - } - file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': - mode => "0644", - source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', + file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': + source => 'puppet:///modules/mdatp/mdatp_onboard.json', + owner => root, + group => root, + mode => '0600', + require => File['/etc/opt/microsoft/mdatp'] + } + + package { 'mdatp': + ensure => 'installed', + require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json'] + } + } + default : { fail("${::osfamily} is currently not supported.") } } } ``` @@ -162,7 +190,7 @@ orgId : "[your organization identifier]" You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: ```bash -$ mdatp --health healthy +mdatp --health healthy ``` The above command prints `1` if the product is onboarded and functioning as expected. @@ -179,6 +207,10 @@ If the product is not healthy, the exit code (which can be checked through `echo See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +## Operating system upgrades + +When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. + ## Uninstallation Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md new file mode 100644 index 0000000000..7a7de6e01f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md @@ -0,0 +1,300 @@ +--- +title: Privacy for Microsoft Defender ATP for Linux +description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, privacy, diagnostic +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Privacy for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Linux. + +This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected. + +## Overview of privacy controls in Microsoft Defender ATP for Linux + +This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux. + +### Diagnostic data + +Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. + +Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations. + +There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from: + +* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on. + +* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. + +By default, only required diagnostic data is sent to Microsoft. + +### Cloud delivered protection data + +Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud. + +Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. + +### Sample data + +Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional. + +There are three levels for controlling sample submission: + +- **None**: no suspicious samples are submitted to Microsoft. +- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting. +- **All**: all suspicious samples are submitted to Microsoft. + +## Manage privacy controls with policy settings + +If you're an IT administrator, you might want to configure these controls at the enterprise level. + +The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). + +As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization. + +## Diagnostic data events + +This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected. + +### Data fields that are common for all events +There is some information about events that is common to all events, regardless of category or data subtype. + +The following fields are considered common for all events: + +| Field | Description | +| ----------------------- | ----------- | +| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. | +| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | +| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | +| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| +| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | +| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. | +| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. | + +### Required diagnostic data + +**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on. + +Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. + +#### Software setup and inventory data events + +**Microsoft Defender ATP installation / uninstallation** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| correlation_id | Unique identifier associated with the installation. | +| version | Version of the package. | +| severity | Severity of the message (for example Informational). | +| code | Code that describes the operation. | +| text | Additional information associated with the product installation. | + +**Microsoft Defender ATP configuration** + +The following fields are collected: + +| Field | Description | +| --------------------------------------------------- | ----------- | +| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. | +| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. | +| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. | +| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. | +| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. | +| cloud_service.service_uri | URI used to communicate with the cloud. | +| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | +| cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). | +| edr.early_preview | Whether the machine should run EDR early preview features. | +| edr.group_id | Group identifier used by the detection and response component. | +| edr.tags | User-defined tags. | +| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | + +#### Product and service usage data events + +**Security intelligence update report** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| from_version | Original security intelligence version. | +| to_version | New security intelligence version. | +| status | Status of the update indicating success or failure. | +| using_proxy | Whether the update was done over a proxy. | +| error | Error code if the update failed. | +| reason | Error message if the update failed. | + +#### Product and service performance data events + +**Kernel extension statistics** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| version | Version of Microsoft Defender ATP for Linux. | +| instance_id | Unique identifier generated on kernel extension startup. | +| trace_level | Trace level of the kernel extension. | +| subsystem | The underlying subsystem used for real-time protection. | +| ipc.connects | Number of connection requests received by the kernel extension. | +| ipc.rejects | Number of connection requests rejected by the kernel extension. | +| ipc.connected | Whether there is any active connection to the kernel extension. | + +#### Support data + +**Diagnostic logs** + +Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs: + +- All files under */var/log/microsoft/mdatp* +- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Microsoft Defender ATP for Linux +- Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log* + +### Optional diagnostic data + +**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues. + +If you choose to send us optional diagnostic data, required diagnostic data is also included. + +Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product). + +#### Software setup and inventory data events + +**Microsoft Defender ATP configuration** + +The following fields are collected: + +| Field | Description | +| -------------------------------------------------- | ----------- | +| connection_retry_timeout | Connection retry time-out when communication with the cloud. | +| file_hash_cache_maximum | Size of the product cache. | +| crash_upload_daily_limit | Limit of crash logs uploaded daily. | +| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. | +| antivirus_engine.exclusions[].path | Path that was excluded from scanning. | +| antivirus_engine.exclusions[].extension | Extension excluded from scanning. | +| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. | +| antivirus_engine.scan_cache_maximum | Size of the product cache. | +| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. | +| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. | +| filesystem_scanner.full_scan_directory | Full scan directory. | +| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. | +| edr.latency_mode | Latency mode used by the detection and response component. | +| edr.proxy_address | Proxy address used by the detection and response component. | + +**Microsoft Auto-Update configuration** + +The following fields are collected: + +| Field | Description | +| --------------------------- | ----------- | +| how_to_check | Determines how product updates are checked (for example automatic or manual). | +| channel_name | Update channel associated with the device. | +| manifest_server | Server used for downloading updates. | +| update_cache | Location of the cache used to store updates. | + +### Product and service usage + +#### Diagnostic log upload started report + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| sha256 | SHA256 identifier of the support log. | +| size | Size of the support log. | +| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). | +| format | Format of the support log. | + +#### Diagnostic log upload completed report + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| request_id | Correlation ID for the support log upload request. | +| sha256 | SHA256 identifier of the support log. | +| blob_sas_uri | URI used by the application to upload the support log. | + +#### Product and service performance data events + +**Unexpected application exit (crash)** + +Unexpected application exits and the state of the application when that happens. + +**Kernel extension statistics** + +The following fields are collected: + +| Field | Description | +| ------------------------------ | ----------- | +| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. | +| pkt_ack_conn_timeout | | +| ipc.ack_pkts | | +| ipc.nack_pkts | | +| ipc.send.ack_no_conn | | +| ipc.send.nack_no_conn | | +| ipc.send.ack_no_qsq | | +| ipc.send.nack_no_qsq | | +| ipc.ack.no_space | | +| ipc.ack.timeout | | +| ipc.ack.ackd_fast | | +| ipc.ack.ackd | | +| ipc.recv.bad_pkt_len | | +| ipc.recv.bad_reply_len | | +| ipc.recv.no_waiter | | +| ipc.recv.copy_failed | | +| ipc.kauth.vnode.mask | | +| ipc.kauth.vnode.read | | +| ipc.kauth.vnode.write | | +| ipc.kauth.vnode.exec | | +| ipc.kauth.vnode.del | | +| ipc.kauth.vnode.read_attr | | +| ipc.kauth.vnode.write_attr | | +| ipc.kauth.vnode.read_ex_attr | | +| ipc.kauth.vnode.write_ex_attr | | +| ipc.kauth.vnode.read_sec | | +| ipc.kauth.vnode.write_sec | | +| ipc.kauth.vnode.take_own | | +| ipc.kauth.vnode.link | | +| ipc.kauth.vnode.create | | +| ipc.kauth.vnode.move | | +| ipc.kauth.vnode.mount | | +| ipc.kauth.vnode.denied | | +| ipc.kauth.vnode.ackd_before_deadline | | +| ipc.kauth.vnode.missed_deadline | | +| ipc.kauth.file_op.mask | | +| ipc.kauth_file_op.open | | +| ipc.kauth.file_op.close | | +| ipc.kauth.file_op.close_modified | | +| ipc.kauth.file_op.move | | +| ipc.kauth.file_op.link | | +| ipc.kauth.file_op.exec | | +| ipc.kauth.file_op.remove | | +| ipc.kauth.file_op.unmount | | +| ipc.kauth.file_op.fork | | +| ipc.kauth.file_op.create | | + +## Resources + +- [Privacy at Microsoft](https://privacy.microsoft.com/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md new file mode 100644 index 0000000000..b0cd02009a --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md @@ -0,0 +1,65 @@ +--- +title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux +description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, pua, pus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network. + +These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. + +These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. + +## How it works + +Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. + +When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application". + +## Configure PUA protection + +PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways: + +- **Off**: PUA protection is disabled. +- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product. +- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. A record of the infection is stored in the threat history and action is taken by the product. + +>[!WARNING] +>By default, PUA protection is configured in **Audit** mode. + +You can configure how PUA files are handled from the command line or from the management console. + +### Use the command-line tool to configure PUA protection: + +In Terminal, execute the following command to configure PUA protection: + +```bash +$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +``` + +### Use the management console to configure PUA protection: + +In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic. + +## Related topics + +- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index d34c004a38..4a25d355bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -54,7 +54,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping > [!WARNING] > PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. > -> Intercepting proxies are also not supported for security reasons. Configure your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your proxy certificate to the global store will not allow for interception. +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port: @@ -64,6 +64,9 @@ $ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.mi Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands. +> [!WARNING] +> The static proxy cannot be configured through a system-wide `HTTPS_PROXY` environment variable. Instead, ensure that `HTTPS_PROXY` is properly set in the `/lib/system/system/mdatp.service` file. + To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`: ```bash diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md new file mode 100644 index 0000000000..0982c630fa --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -0,0 +1,121 @@ +--- +title: Troubleshoot installation issues for Microsoft Defender ATP for Linux +ms.reviewer: +description: Troubleshoot installation issues for Microsoft Defender ATP for Linux +keywords: microsoft, defender, atp, linux, installation +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot installation issues for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +## Verify if installation succeeded + +An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using: +```bash +$ sudo journalctl | grep 'microsoft-mdatp' > installation.log +$ grep 'postinstall end' installation.log + +microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216 +``` +An output from the previous command with correct date and time of installation indicates success. + +Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file. + +## Installation failed + +Check if the mdatp service is running +```bash +$ systemctl status mdatp + +● mdatp.service - Microsoft Defender ATP + Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago + Main PID: 1966 (wdavdaemon) + Tasks: 105 (limit: 4915) + CGroup: /system.slice/mdatp.service + ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon + ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon + └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon +``` + +## Steps to troubleshoot if mdatp service isn't running + +1. Check if “mdatp” user exists: +```bash +$ id “mdatp” +``` +If there’s no output, run +```bash +$ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp +``` + +2. Try enabling and restarting the service using: +```bash +$ sudo systemctl enable mdatp +$ sudo systemctl restart mdatp +``` + +3. If mdatp.service isn't found upon running the previous command, run +```bash +$ sudo cp /opt/microsoft/mdatp/conf/mdatp.service + +where is +/lib/systemd/system for Ubuntu and Debian distributions +/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES +``` +and then rerun step 2. + +4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details. +Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. + +5. Ensure that the daemon has executable permission. +```bash +$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon + +-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon +``` +If the daemon doesn't have executable permissions, make it executable using: +```bash +$ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon +``` +and retry running step 2. + +6. Ensure that the file system containing wdavdaemon isn't mounted with “noexec”. + +## If mdatp service is running, but EICAR text file detection doesn't work + +1. Check the file system type using: +```bash +$ findmnt -T +``` +Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned. + +## Command-line tool “mdatp” isn't working + +1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command: +```bash +$ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp +``` +and try again. + +If none of the above steps help, collect the diagnostic logs: +```bash +$ sudo mdatp --diagnostic --create +``` +Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md new file mode 100644 index 0000000000..4c49223e78 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -0,0 +1,30 @@ +--- +title: What's new in Microsoft Defender Advanced Threat Protection for Linux +description: List of major changes for Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, whatsnew, release +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: security +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# What's new in Microsoft Defender Advanced Threat Protection for Linux + +## 100.90.70 + +> [!WARNING] +> When upgrading the installed package from a product version earlier than 100.90.70, the update may fail on Red Hat-based and SLES distributions. This is because of a major change in a file path. A temporary solution is to remove the older package, and then install the newer one. This issue does not exist in newer versions. + +- Antivirus [exclusions now support wildcards](linux-exclusions.md#supported-exclusion-types) +- Added the ability to [troubleshoot performance issues](linux-support-perf.md) through the `mdatp` command-line tool +- Improvements to make the package installation more robust +- Performance improvements & bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md index 89649bba47..33a756f573 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md @@ -1,6 +1,6 @@ --- title: Live response command examples -description: Learn about common commands and see examples on how it's used +description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 80231ef03d..8ab5475888 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -1,6 +1,6 @@ --- title: Investigate entities on machines using live response in Microsoft Defender ATP -description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time. +description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real time. keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,53 +17,69 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Investigate entities on machines using live response +# Investigate entities on devices using live response **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. +Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — in real time. -Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. +Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW] - -With live response, analysts will have the ability to: -- Run basic and advanced commands to do investigative work -- Download files such as malware samples and outcomes of PowerShell scripts -- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level -- Take or undo remediation actions +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW] +With live response, analysts can do all of the following tasks: +- Run basic and advanced commands to do investigative work on a device. +- Download files such as malware samples and outcomes of PowerShell scripts. +- Download files in the background (new!). +- Upload a PowerShell script or executable to the library and run it on a device from a tenant level. +- Take or undo remediation actions. ## Before you begin -Before you can initiate a session on a machine, make sure you fulfill the following requirements: -- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later. +Before you can initiate a session on a device, make sure you fulfill the following requirements: -- **Enable live response from the settings page**
        +- **Verify that you're running a supported version of Windows 10**.
        +Devices must be running one of the following versions of Windows 10: + - [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later + - [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) + - [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) + - [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) + - [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) + +- **Make sure to install appropriate security updates**.
        + - 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384) + - 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) + - 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795) + - 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816) + +- **Enable live response from the settings page**.
        You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. >[!NOTE] >Only users with manage security or global admin roles can edit these settings. + +- **Ensure that the machine has an Automation Remediation level assigned to it**.
        +You'll need to enable, at least, the minimum Remediation Level for a given Machine Group. Otherwise you won't be able to establish a Live Response session to a member of that group. -- **Enable live response unsigned script execution** (optional)
        +- **Enable live response unsigned script execution** (optional).
        >[!WARNING] >Allowing the use of unsigned scripts may increase your exposure to threats. - Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. + Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. -- **Ensure that you have the appropriate permissions**
        - Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). +- **Ensure that you have the appropriate permissions**.
        + Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md). > [!IMPORTANT] > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. - Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. + Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role. ## Live response dashboard overview -When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as: +When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following: - Who created the session - When the session started @@ -79,81 +95,112 @@ The dashboard also gives you access to: ## Initiate a live response session on a machine 1. Log in to Microsoft Defender Security Center. -2. Navigate to the machines list page and select a machine to investigate. The machine page opens. - >[!NOTE] - >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later. +2. Navigate to the devices list page and select a machine to investigate. The machines page opens. -2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine. -3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands). -4. After completing your investigation, select **Disconnect session**, then select **Confirm**. +3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device. +4. Use the built-in commands to do investigative work. For more information, see [Live response commands](#live-response-commands). +5. After completing your investigation, select **Disconnect session**, then select **Confirm**. ## Live response commands -Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md). + +Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md). ### Basic commands -The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). -Command | Description -:---|:---|:--- -cd | Changes the current directory. -cls | Clears the console screen. -connect | Initiates a live response session to the machine. -connections | Shows all the active connections. -dir | Shows a list of files and subdirectories in a directory -drivers | Shows all drivers installed on the machine. -fileinfo | Get information about a file. -findfile | Locates files by a given name on the machine. -help | Provides help information for live response commands. -persistence | Shows all known persistence methods on the machine. -processes | Shows all processes running on the machine. -registry | Shows registry values. -scheduledtasks| Shows all scheduled tasks on the machine. -services | Shows all services on the machine. -trace | Sets the terminal's logging mode to debug. +The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md). +| Command | Description | +|---|---|--- | +|`cd` | Changes the current directory. | +|`cls` | Clears the console screen. | +|`connect` | Initiates a live response session to the device. | +|`connections` | Shows all the active connections. | +|`dir` | Shows a list of files and subdirectories in a directory. | +|`download &` | Downloads a file in the background. | +drivers | Shows all drivers installed on the device. | +|`fg ` | Returns a file download to the foreground. | +|`fileinfo` | Get information about a file. | +|`findfile` | Locates files by a given name on the device. | +|`help` | Provides help information for live response commands. | +|`persistence` | Shows all known persistence methods on the device. | +|`processes` | Shows all processes running on the device. | +|`registry` | Shows registry values. | +|`scheduledtasks` | Shows all scheduled tasks on the device. | +|`services` | Shows all services on the device. | +|`trace` | Sets the terminal's logging mode to debug. | ### Advanced commands -The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). +The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see [Create and manage roles](user-roles.md). -Command | Description -:---|:--- -analyze | Analyses the entity with various incrimination engines to reach a verdict. -getfile | Gets a file from the machine.
        NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. -run | Runs a PowerShell script from the library on the machine. -library | Lists files that were uploaded to the live response library. -putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default. -remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
        - File: delete
        - Process: stop, delete image file
        - Service: stop, delete image file
        - Registry entry: delete
        - Scheduled task: remove
        - Startup folder item: delete file
        NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. -undo | Restores an entity that was remediated. +| Command | Description | +|---|---| +| `analyze` | Analyses the entity with various incrimination engines to reach a verdict. | +| `getfile` | Gets a file from the device.
        NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. | +| `run` | Runs a PowerShell script from the library on the device. | +| `library` | Lists files that were uploaded to the live response library. | +| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. | +| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:
        - File: delete
        - Process: stop, delete image file
        - Service: stop, delete image file
        - Registry entry: delete
        - Scheduled task: remove
        - Startup folder item: delete file
        NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. +|`undo` | Restores an entity that was remediated. | ## Use live response commands + The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c). -The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity. +The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity. ### Get a file from the machine -For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation. + +For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation. >[!NOTE] ->There is a file size limit of 750mb. +>The following file size limits apply: +>- `getfile` limit: 3 GB +>- `fileinfo` limit: 10 GB +>- `library` limit: 250 MB + +### Download a file in the background + +To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background. + +- To download a file in the background, in the live response command console, type `download &`. +- If you are waiting for a file to be downloaded, you can move it to the background by using Ctrl + Z. +- To bring a file download to the foreground, in the live response command console, type `fg `. + +Here are some examples: + + +|Command |What it does | +|---------|---------| +|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. | +|`fg 1234` |Returns a download with command ID *1234* to the foreground. | + ### Put a file in the library + Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level. Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them. -You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with. +You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with. + +#### To upload a file in the library -**To upload a file in the library:** 1. Click **Upload file to library**. + 2. Click **Browse** and select the file. + 3. Provide a brief description. + 4. Specify if you'd like to overwrite a file with the same name. + 5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description. + 6. Click **Confirm**. + 7. (Optional) To verify that the file was uploaded to the library, run the `library` command. @@ -163,9 +210,8 @@ Anytime during a session, you can cancel a command by pressing CTRL + C. >[!WARNING] >Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled. - - ### Automatically run prerequisite commands + Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error. You can use the auto flag to automatically run prerequisite commands, for example: @@ -174,8 +220,8 @@ You can use the auto flag to automatically run prerequisite commands, for exampl getfile c:\Users\user\Desktop\work.txt -auto ``` - ## Run a PowerShell script + Before you can run a PowerShell script, you must first upload it to the library. After uploading the script to the library, use the `run` command to run the script. @@ -185,9 +231,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the >[!WARNING] >Allowing the use of unsigned scripts may increase your exposure to threats. - - ## Apply command parameters + - View the console help to learn about command parameters. To learn about an individual command, run: `help ` @@ -204,9 +249,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the ` -type file -id - auto` or `remediate file - auto`. - - ## Supported output types + Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands: - `-output json` @@ -215,8 +259,8 @@ Live response supports table and JSON format output types. For each command, the >[!NOTE] >Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown. - ## Supported output pipes + Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt. Example: @@ -225,27 +269,27 @@ Example: processes > output.txt ``` - - ## View the command log -Select the **Command log** tab to see the commands used on the machine during a session. + +Select the **Command log** tab to see the commands used on the device during a session. Each command is tracked with full details such as: - ID - Command line - Duration - Status and input or output side bar - - - ## Limitations -- Live response sessions are limited to 10 live response sessions at a time -- Large scale command execution is not supported -- A user can only initiate one session at a time -- A machine can only be in one session at a time -- There is a file size limit of 750mb when downloading files from a machine -## Related topic +- Live response sessions are limited to 10 live response sessions at a time. +- Large scale command execution is not supported. +- A user can only initiate one session at a time. +- A device can only be in one session at a time. +- The following file size limits apply: + - `getfile` limit: 3 GB + - `fileinfo` limit: 10 GB + - `library` limit: 250 MB + +## Related article - [Live response command examples](live-response-command-examples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 4ac890ab74..af6fa6157c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -41,10 +41,17 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f Exclusion | Definition | Examples ---|---|--- -File extension | All files with the extension, anywhere on the machine | .test -File | A specific file identified by the full path | /var/log/test.log -Folder | All files under the specified folder | /var/log/ -Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat
        cat +File extension | All files with the extension, anywhere on the machine | `.test` +File | A specific file identified by the full path | `/var/log/test.log`
        `/var/log/*.log`
        `/var/log/install.?.log` +Folder | All files under the specified folder | `/var/log/`
        `/var/*/` +Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
        `cat`
        `c?t` + +File, folder, and process exclusions support the following wildcards: + +Wildcard | Description | Example | Matches | Does not match +---|---|---|---|--- +\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/\*/\*.log` | `/var/log/system.log` | `/var/log/nested/system.log` +? | Matches any single character | `file?.log` | `file1.log`
        `file2.log` | `file123.log` ## How to configure the list of exclusions @@ -56,7 +63,7 @@ For more information on how to configure exclusions from JAMF, Intune, or anothe Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot: -![Manage exclusions screenshot](../windows-defender-antivirus/images/mdatp-37-exclusions.png) +![Manage exclusions screenshot](../microsoft-defender-antivirus/images/mdatp-37-exclusions.png) Select the type of exclusion that you wish to add and follow the prompts. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index a3c0a5a7a2..ebaa93dac7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -1,6 +1,6 @@ --- -title: Manual deployment for Microsoft Defender ATP for Mac -description: Install Microsoft Defender ATP for Mac manually, from the command line. +title: Manual deployment for Microsoft Defender ATP for macOS +description: Install Microsoft Defender ATP for macOS manually, from the command line. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,65 +17,54 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Manual deployment for Microsoft Defender ATP for Mac +# Manual deployment for Microsoft Defender ATP for macOS **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md) -This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) - [Application installation](#application-installation) - [Client configuration](#client-configuration) ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: 1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. +2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png) + ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-page.png) 5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - $ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - $ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - + ## Application installation To complete this process, you must have admin privileges on the machine. 1. Navigate to the downloaded wdav.pkg in Finder and open it. - ![App install screenshot](../windows-defender-antivirus/images/MDATP-28-AppInstall.png) + ![App install screenshot](../microsoft-defender-antivirus/images/MDATP-28-AppInstall.png) 2. Select **Continue**, agree with the License terms, and enter the password when prompted. - ![App install screenshot](../windows-defender-antivirus/images/MDATP-29-AppInstallLogin.png) + ![App install screenshot](../microsoft-defender-antivirus/images/MDATP-29-AppInstallLogin.png) > [!IMPORTANT] > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - ![App install screenshot](../windows-defender-antivirus/images/MDATP-30-SystemExtension.png) + ![App install screenshot](../microsoft-defender-antivirus/images/MDATP-30-SystemExtension.png) 3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - ![Security and privacy window screenshot](../windows-defender-antivirus/images/MDATP-31-SecurityPrivacySettings.png) + ![Security and privacy window screenshot](../microsoft-defender-antivirus/images/MDATP-31-SecurityPrivacySettings.png) The installation proceeds. @@ -87,7 +76,7 @@ The installation proceeds. ## Client configuration -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. +1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS. The client machine is not associated with orgId. Note that the *orgId* attribute is blank. @@ -98,7 +87,7 @@ The installation proceeds. 2. Run the Python script to install the configuration file: ```bash - $ /usr/bin/python WindowsDefenderATPOnboarding.py + $ /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) ``` @@ -111,7 +100,7 @@ The installation proceeds. After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - ![Microsoft Defender icon in status bar screenshot](../windows-defender-antivirus/images/MDATP-Icon-Bar.png) + ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png) ## How to Allow Full Disk Access @@ -127,4 +116,4 @@ See [Logging installation issues](mac-resources.md#logging-installation-issues) ## Uninstallation -See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. +See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 9a7563b95c..cf50d3ac04 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -19,20 +19,40 @@ ms.topic: conceptual # Intune-based deployment for Microsoft Defender ATP for Mac +> [!NOTE] +> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and dfeploy the application and send it down to macOS devices. +> This blog post explains the new features: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995 +> To configure the app go here: https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos +> To deploy the app go here: https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos + **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps: -- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) -- [Client device setup](#client-device-setup) -- [Create System Configuration profiles](#create-system-configuration-profiles) -- [Publish application](#publish-application) + +1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +1. [Client device setup](#client-device-setup) +1. [Create System Configuration profiles](#create-system-configuration-profiles) +1. [Publish application](#publish-application) ## Prerequisites and system requirements Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +## Overview + +The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via Intune. More detailed steps are available below. + +| Step | Sample file names | BundleIdentifier | +|-|-|-| +| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp | +| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A | +| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | +| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 | +| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

        **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | +| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdavtray | + ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: @@ -43,7 +63,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). - ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/MDATP-2-DownloadPackages.png) + ![Microsoft Defender Security Center screenshot](../microsoft-defender-antivirus/images/MDATP-2-DownloadPackages.png) 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: @@ -86,23 +106,23 @@ Download the installation and onboarding packages from Microsoft Defender Securi ## Client device setup -You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). +You do not need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). -1. You are asked to confirm device management. +1. Confirm device management. - ![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) +![Confirm device management screenshot](../microsoft-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) - Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: +Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: - ![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png) +![Management profile screenshot](../microsoft-defender-antivirus/images/MDATP-4-ManagementProfile.png) 2. Select **Continue** and complete the enrollment. - You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. +You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: - ![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png) +![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png) ## Create System Configuration profiles @@ -111,12 +131,12 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections. 4. Select **OK**. - ![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-6-SystemConfigurationProfiles.png) + ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-6-SystemConfigurationProfiles.png) 5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. 6. Repeat steps 1 through 5 for more profiles. 7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. +8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. > [!CAUTION] > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. @@ -187,7 +207,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por ``` -9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: +9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: ```xml @@ -284,9 +304,9 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. - Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: +Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: - ![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) +![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) ## Publish application @@ -294,44 +314,46 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 2. Select **App type=Other/Line-of-business app**. 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. 4. Select **Configure** and add the required information. -5. Use **macOS High Sierra 10.13** as the minimum OS. +5. Use **macOS High Sierra 10.13** as the minimum OS. 6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. > [!CAUTION] - > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy. + > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. + > + > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy. - ![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) + ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) 7. Select **OK** and **Add**. - ![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-9-IntunePkgInfo.png) + ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png) 8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. - ![Client apps screenshot](../windows-defender-antivirus/images/MDATP-10-ClientApps.png) + ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png) 9. Change **Assignment type** to **Required**. -10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. +10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - ![Intune assignments info screenshot](../windows-defender-antivirus/images/MDATP-11-Assignments.png) + ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png) 11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: - ![Intune device status screenshot](../windows-defender-antivirus/images/MDATP-12-DeviceInstall.png) + ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png) ## Verify client device state 1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device. - ![System Preferences screenshot](../windows-defender-antivirus/images/MDATP-13-SystemPreferences.png)
        - ![System Preferences Profiles screenshot](../windows-defender-antivirus/images/MDATP-14-SystemPreferencesProfiles.png) + ![System Preferences screenshot](../microsoft-defender-antivirus/images/MDATP-13-SystemPreferences.png)
        + ![System Preferences Profiles screenshot](../microsoft-defender-antivirus/images/MDATP-14-SystemPreferencesProfiles.png) 2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune: - ![Profiles screenshot](../windows-defender-antivirus/images/MDATP-15-ManagementProfileConfig.png) + ![Profiles screenshot](../microsoft-defender-antivirus/images/MDATP-15-ManagementProfileConfig.png) 3. You should also see the Microsoft Defender icon in the top-right corner: - ![Microsoft Defender icon in status bar screenshot](../windows-defender-antivirus/images/MDATP-Icon-Bar.png) + ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png) ## Troubleshooting @@ -341,7 +363,7 @@ Solution: Follow the steps above to create a device profile using WindowsDefende ## Logging installation issues -For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues) . +For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues). ## Uninstallation diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 94bb66756c..32d0727488 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.date: 04/10/2020 --- # JAMF-based deployment for Microsoft Defender ATP for Mac @@ -24,11 +25,12 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps: -- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) -- [Create JAMF policies](#create-jamf-policies) -- [Client device setup](#client-device-setup) -- [Deployment](#deployment) -- [Check onboarding status](#check-onboarding-status) + +1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +1. [Create JAMF policies](#create-jamf-policies) +1. [Client device setup](#client-device-setup) +1. [Deployment](#deployment) +1. [Check onboarding status](#check-onboarding-status) ## Prerequisites and system requirements @@ -36,6 +38,19 @@ Before you get started, please see [the main Microsoft Defender ATP for Mac page In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. +## Overview + +The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via JAMF. More detailed steps are available below. + +| Step | Sample file names | BundleIdentifier | +|-|-|-| +| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp | +| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)

        **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav | +| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdavtray | +| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 | +| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc | +| [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A | + ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: @@ -43,16 +58,16 @@ Download the installation and onboarding packages from Microsoft Defender Securi 1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**. 2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**. 3. Set the deployment method to **Mobile Device Management / Microsoft Intune**. - - >[!NOTE] - >Jamf falls under **Mobile Device Management**. - + + > [!NOTE] + > Jamf falls under **Mobile Device Management**. + 4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. 5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. - ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/jamf-onboarding.png) + ![Microsoft Defender Security Center screenshot](../microsoft-defender-antivirus/images/jamf-onboarding.png) -5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: +6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: ```bash $ ls -l @@ -73,17 +88,18 @@ You need to create a configuration profile and a policy to start deploying Micro ### Configuration Profile -The configuration profile contains a custom settings payload that includes: +The configuration profile contains a custom settings payload that includes the following: - Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver +- Approved Kernel Extensions payload to enable running the Microsoft kernel driver + +To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list. -To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list. >[!IMPORTANT] - > You must set the Preference Domain as "com.microsoft.wdav.atp" + > You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro). -![Configuration profile screenshot](../windows-defender-antivirus/images/MDATP-16-PreferenceDomain.png) +![Configuration profile screenshot](./images/msdefender-mac-config-profile.png) ### Approved Kernel Extension @@ -92,7 +108,7 @@ To approve the kernel extension: 1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. 2. Use **UBF8T346G9** for Team Id. - ![Approved kernel extensions screenshot](../windows-defender-antivirus/images/MDATP-17-approvedKernelExtensions.png) + ![Approved kernel extensions screenshot](../microsoft-defender-antivirus/images/MDATP-17-approvedKernelExtensions.png) ### Privacy Preferences Policy Control @@ -108,7 +124,7 @@ Add the following JAMF policy to grant Full Disk Access to Microsoft Defender AT 3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`. 4. Set app or service to SystemPolicyAllFiles and access to Allow. - ![Privacy Preferences Policy Control](../windows-defender-antivirus/images/MDATP-35-JAMF-PrivacyPreferences.png) + ![Privacy Preferences Policy Control](../microsoft-defender-antivirus/images/MDATP-35-JAMF-PrivacyPreferences.png) #### Configuration Profile's Scope @@ -116,7 +132,7 @@ Configure the appropriate scope to specify the devices that will receive the con Open **Computers** > **Configuration Profiles**, and select **Scope > Targets**. From there, select the devices you want to target. -![Configuration profile scope screenshot](../windows-defender-antivirus/images/MDATP-18-ConfigurationProfilesScope.png) +![Configuration profile scope screenshot](../microsoft-defender-antivirus/images/MDATP-18-ConfigurationProfilesScope.png) Save the **Configuration Profile**. @@ -136,7 +152,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific 1. Create a package in **Settings > Computer Management > Packages**. - ![Computer management packages screenshot](../windows-defender-antivirus/images/MDATP-19-MicrosoftDefenderWDAVPKG.png) + ![Computer management packages screenshot](../microsoft-defender-antivirus/images/MDATP-19-MicrosoftDefenderWDAVPKG.png) 2. Upload the package to the Distribution Point. 3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_. @@ -145,7 +161,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific Your policy should contain a single package for Microsoft Defender. -![Microsoft Defender packages screenshot](../windows-defender-antivirus/images/MDATP-20-MicrosoftDefenderPackages.png) +![Microsoft Defender packages screenshot](../microsoft-defender-antivirus/images/MDATP-20-MicrosoftDefenderPackages.png) Configure the appropriate scope to specify the computers that will receive this policy. @@ -160,12 +176,12 @@ You'll need no special provisioning for a macOS computer, beyond the standard JA - Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - ![MDM approve button screenshot](../windows-defender-antivirus/images/MDATP-21-MDMProfile1.png)
        - ![MDM screenshot](../windows-defender-antivirus/images/MDATP-22-MDMProfileApproved.png) + ![MDM approve button screenshot](../microsoft-defender-antivirus/images/MDATP-21-MDMProfile1.png)
        + ![MDM screenshot](../microsoft-defender-antivirus/images/MDATP-22-MDMProfileApproved.png) After a moment, the device's User Approved MDM status will change to **Yes**. - ![MDM status screenshot](../windows-defender-antivirus/images/MDATP-23-MDMStatus.png) + ![MDM status screenshot](../microsoft-defender-antivirus/images/MDATP-23-MDMStatus.png) You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. @@ -180,17 +196,17 @@ You can monitor deployment status in the **Logs** tab: - **Pending** means that the deployment is scheduled but has not yet happened - **Completed** means that the deployment succeeded and is no longer scheduled -![Status on server screenshot](../windows-defender-antivirus/images/MDATP-24-StatusOnServer.png) +![Status on server screenshot](../microsoft-defender-antivirus/images/MDATP-24-StatusOnServer.png) ### Status on client device After the Configuration Profile is deployed, you'll see the profile for the device in **System Preferences** > **Profiles >**. -![Status on client screenshot](../windows-defender-antivirus/images/MDATP-25-StatusOnClient.png) +![Status on client screenshot](../microsoft-defender-antivirus/images/MDATP-25-StatusOnClient.png) Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner. -![Microsoft Defender icon in status bar screenshot](../windows-defender-antivirus/images/MDATP-Icon-Bar.png) +![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png) You can monitor policy installation on a device by following the JAMF log file: @@ -230,6 +246,7 @@ $ mdatp --health healthy The above command prints "1" if the product is onboarded and functioning as expected. If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: + - 0 if the device is not yet onboarded - 3 if the connection to the daemon cannot be established—for example, if the daemon is not running @@ -262,12 +279,12 @@ This script removes Microsoft Defender ATP from the /Applications directory: echo "Done!" ``` -![Microsoft Defender uninstall screenshot](../windows-defender-antivirus/images/MDATP-26-Uninstall.png) +![Microsoft Defender uninstall screenshot](../microsoft-defender-antivirus/images/MDATP-26-Uninstall.png) ### Policy Your policy should contain a single script: -![Microsoft Defender uninstall script screenshot](../windows-defender-antivirus/images/MDATP-27-UninstallScript.png) +![Microsoft Defender uninstall script screenshot](../microsoft-defender-antivirus/images/MDATP-27-UninstallScript.png) Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 6c5a04ada0..19065efe0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -310,17 +310,6 @@ Manage the preferences of the endpoint detection and response (EDR) component of | **Data type** | Dictionary (nested preference) | | **Comments** | See the following sections for a description of the dictionary contents. | -#### Enable / disable early preview - -Specify whether to enable EDR early preview features. - -||| -|:---|:---| -| **Domain** | `com.microsoft.wdav` | -| **Key** | earlyPreview | -| **Data type** | Boolean | -| **Possible values** | true (default)
        false | - #### Device tags Specify a tag name and its value. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md index ab118ea2ca..9add09b4df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md @@ -43,7 +43,7 @@ There are two levels of diagnostic data for Microsoft Defender ATP client softwa * **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. -By default, both optional and required diagnostic data are sent to Microsoft. +By default, only required diagnostic data is sent to Microsoft. ### Cloud delivered protection data @@ -127,6 +127,21 @@ The following fields are collected: | edr.tags | User-defined tags. | | features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | +#### Product and service usage data events + +**Security intelligence update report** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| from_version | Original security intelligence version. | +| to_version | New security intelligence version. | +| status | Status of the update indicating success or failure. | +| using_proxy | Whether the update was done over a proxy. | +| error | Error code if the update failed. | +| reason | Error message if the updated filed. | + #### Product and service performance data events **Kernel extension statistics** @@ -138,6 +153,7 @@ The following fields are collected: | version | Version of Microsoft Defender ATP for Mac. | | instance_id | Unique identifier generated on kernel extension startup. | | trace_level | Trace level of the kernel extension. | +| subsystem | The underlying subsystem used for real-time protection. | | ipc.connects | Number of connection requests received by the kernel extension. | | ipc.rejects | Number of connection requests rejected by the kernel extension. | | ipc.connected | Whether there is any active connection to the kernel extension. | @@ -259,7 +275,13 @@ The following fields are collected: | ipc.kauth.vnode.read_sec | | | ipc.kauth.vnode.write_sec | | | ipc.kauth.vnode.take_own | | +| ipc.kauth.vnode.link | | +| ipc.kauth.vnode.create | | +| ipc.kauth.vnode.move | | +| ipc.kauth.vnode.mount | | | ipc.kauth.vnode.denied | | +| ipc.kauth.vnode.ackd_before_deadline | | +| ipc.kauth.vnode.missed_deadline | | | ipc.kauth.file_op.mask | | | ipc.kauth_file_op.open | | | ipc.kauth.file_op.close | | @@ -268,6 +290,7 @@ The following fields are collected: | ipc.kauth.file_op.link | | | ipc.kauth.file_op.exec | | | ipc.kauth.file_op.remove | | +| ipc.kauth.file_op.unmount | | | ipc.kauth.file_op.fork | | | ipc.kauth.file_op.create | | diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index bda42ad846..f7626685ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -87,6 +87,7 @@ Important tasks, such as controlling product settings and triggering on-demand s |Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| |Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | |Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| +|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` | |Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | |Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | |Health |Check the product's health |`mdatp --health` | diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index bbf4825f45..04021812ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -29,7 +29,7 @@ Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it: - ![RTP disabled screenshot](../windows-defender-antivirus/images/MDATP-32-Main-App-Fix.png) + ![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png) You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device. @@ -56,7 +56,7 @@ If less than 30 minutes have passed since the product was installed, navigate to If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device: -![Security and privacy window after prompt expired screenshot](../windows-defender-antivirus/images/MDATP-33-SecurityPrivacySettings-NoPrompt.png) +![Security and privacy window after prompt expired screenshot](../microsoft-defender-antivirus/images/MDATP-33-SecurityPrivacySettings-NoPrompt.png) In this case, you need to perform the following steps to trigger the approval flow again. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md index 3a6c85369b..77c330a95d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md @@ -41,6 +41,6 @@ You deployed and/or installed the MDATP for macOS package ("Download installatio **Solution:** -Follow the WindowsDefenderATPOnboarding.py instructions documented here: +Follow the MicrosoftDefenderATPOnboardingMacOs.py instructions documented here: [Client configuration](mac-install-manually.md#client-configuration) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 3d1a203e82..fccc1b4442 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -37,7 +37,7 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the user interface. Open Microsoft Defender ATP for Mac and navigate to **Manage settings**. - ![Manage real-time protection screenshot](../windows-defender-antivirus/images/mdatp-36-rtp.png) + ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) - From the Terminal. For security purposes, this operation requires elevation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md index 33e4268575..782c6a98e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md @@ -27,7 +27,7 @@ Microsoft regularly publishes software updates to improve performance, security, To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually. -![MAU screenshot](../windows-defender-antivirus/images/MDATP-34-MAU.png) +![MAU screenshot](../microsoft-defender-antivirus/images/MDATP-34-MAU.png) If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 57fde3cc75..b1deb73638 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -26,6 +26,14 @@ ms.topic: conceptual > > If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. +## 101.00.31 + +- Improved [product onboarding experience for Intune users](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos) +- Antivirus [exclusions now support wildcards](mac-exclusions.md#supported-exclusion-types) +- Added the ability to trigger antivirus scans from the macOS contextual menu. You can now right-click a file or a folder in Finder and select **Scan with Microsoft Defender ATP** +- In-place product downgrades are now explicitly disallowed by the installer. If you need to downgrade, first uninstall the existing version and reconfigure your device +- Other performance improvements & bug fixes + ## 100.90.27 - You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender ATP for Mac that is different from the system-wide update channel diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index adc8b53f70..e2f2b119a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -61,7 +61,7 @@ The report is made up of cards that display the following machine attributes: - **Health state**: shows information about the sensor state on devices, providing an aggregated view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen. -- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Windows Defender Antivirus. +- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Microsoft Defender Antivirus. - **OS platforms**: shows the distribution of OS platforms that exists within your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index daf8b70f1e..9da990fe57 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -26,8 +26,8 @@ You can add tags on machines using the following ways: - Using the portal - Setting a registry key value ->[!NOTE] ->There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page. +> [!NOTE] +> There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page. To add machine tags using API, see [Add or remove machine tags API](add-or-remove-machine-tags.md). @@ -71,6 +71,9 @@ You can also delete tags from this view. >- Windows 8.1 >- Windows 7 SP1 +> [!NOTE] +> The maximum number of characters that can be set in a tag is 200. + Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. Use the following registry key entry to add a tag on a machine: @@ -81,4 +84,5 @@ Use the following registry key entry to add a tag on a machine: >[!NOTE] >The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. - +> +> If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index fdd4146f99..930d43341f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -1,6 +1,6 @@ --- title: machineAction resource type -description: Retrieves top recent machineActions. +description: Quickly respond to detected attacks by isolating machines or collecting an investigation package. keywords: apis, supported apis, get, machineaction, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index 6b96503525..f243b53767 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -53,7 +53,13 @@ The risk level reflects the overall risk assessment of the machine based on a co ### Exposure level -The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations. +The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your machines are less vulnerable from exploitation. + +If the exposure level says "No data available," there are a few reasons why this may be the case: + +- Device stopped reporting for more than 30 days – in that case it is considered inactive, and the exposure isn't computed +- Device OS not supported - see [minimum requirements for Microsoft Defender ATP](minimum-requirements.md) +- Device with stale agent (very unlikely) ### OS Platform @@ -71,12 +77,13 @@ Filter by the following machine health states: For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealthy-sensors.md). -### Security state +### Antivirus status -Filter by machines that are well configured or require attention based on the security controls that are enabled in your organization. Applies to active Windows 10 machines only. +Filter machines by antivirus status. Applies to active Windows 10 machines only. -- **Well configured** - Machines have the security controls well configured. -- **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization. +- **Disabled** - Virus & threat protection is turned off. +- **Not reporting** - Virus & threat protection is not reporting. +- **Not updated** - Virus & threat protection is not up to date. For more information, see [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index c66fbce85b..531278a14a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -76,10 +76,11 @@ Create custom rules to control when alerts are suppressed, or resolved. You can * URL - wildcard supported * Command line - wildcard supported -3. Select the **Trigerring IOC**. +3. Select the **Triggering IOC**. 4. Specify the action and scope on the alert.
        - You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on a specific machine group. + You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs.

        Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs. + 5. Enter a rule name and a comment. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index a9250abb97..8ae4bbb815 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -21,39 +21,39 @@ ms.topic: conceptual ## Remediation actions -When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. +When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically: -- Quarantine file -- Remove registry key -- Kill process -- Stop service -- Remove registry key -- Disable driver -- Remove scheduled task +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Remove a registry key +- Disable a driver +- Remove a scheduled task -Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible. This helps your automated investigations complete in a timely manner. +Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible so that you automated investigations complete in a timely manner. -No actions are taken when evidence is determined to be *Clean*. +No actions are taken when a verdict of *No threats found* is reached for a piece of evidence. In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions). ## Review pending actions -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard. +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard. 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. 3. Review any items on the **Pending** tab. - Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. + Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations. ## Review completed actions -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard. +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard. 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. @@ -61,6 +61,12 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and 4. Select an item to view more details about that remediation action. +## Next steps + +- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) + +- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response) + ## Related articles - [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index ed7b91f290..c2f2dd8964 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -1,7 +1,7 @@ ---- +--- title: Manage indicators ms.reviewer: -description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities. +description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -26,17 +26,17 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) -Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response). +Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response). Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to. -Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Windows Defender AV). +Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV). **Cloud detection engine**
        The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC. **Endpoint prevention engine**
        -The same list of indicators is honored by the prevention agent. Meaning, if Windows Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Windows Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Windows Defender AV will not detect nor block the file from being run. +The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run. **Automated investigation and remediation engine**
        The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad". @@ -54,7 +54,7 @@ You can create an indicator for: - URLs/domains >[!NOTE] ->There is a limit of 5000 indicators per tenant. +>There is a limit of 15,000 indicators per tenant. ![Image of indicators settings page](images/rules-indicators.png) @@ -69,7 +69,8 @@ There are two ways you can create indicators for files: ### Before you begin It's important to understand the following prerequisites prior to creating indicators for files: -- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). + +- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later. - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. @@ -81,7 +82,7 @@ It's important to understand the following prerequisites prior to creating indic >[!NOTE] ->There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked. +>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. ### Create an indicator for files from the settings page @@ -103,18 +104,18 @@ One of the options when taking [response actions on a file](respond-file-alerts. When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it. -Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. +Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue. -## Create indicators for IPs and URLs/domains (preview) +## Create indicators for IPs and URLs/domains Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. The threat intelligence data set for this has been managed by Microsoft. -By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. +By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. ### Before you begin -It's important to understand the following prerequisites prior to creating indicators for IPS, URLs or domains: -- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Protect your network](network-protection.md). +It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: +- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). - The Antimalware client version must be 4.18.1906.x or later. - Supported on machines on Windows 10, version 1709 or later. - Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md). @@ -130,9 +131,9 @@ It's important to understand the following prerequisites prior to creating indic >- Full URL path blocks can be applied on the domain level and all unencrypted URLs >[!NOTE] ->There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked. +>There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. -### Create an indicator for IPs, URLs or domains from the settings page +### Create an indicator for IPs, URLs, or domains from the settings page 1. In the navigation pane, select **Settings** > **Indicators**. @@ -147,6 +148,46 @@ It's important to understand the following prerequisites prior to creating indic 5. Review the details in the Summary tab, then click **Save**. +## Create indicators for certificates (preview) + +You can create indicators for certificates. Some common use cases include: + +- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list. +- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Microsoft Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same. + + +### Before you begin + +It's important to understand the following requirements prior to creating indicators for certificates: + +- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). +- The Antimalware client version must be 4.18.1901.x or later. +- Supported on machines on Windows 10, version 1703 or later. +- The virus and threat protection definitions must be up-to-date. +- This feature currently supports entering .CER or .PEM file extensions. + +>[!IMPORTANT] +> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it’s trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities'). +>- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality – only leaf certificates are supported. +>- Microsoft signed certificates cannot be blocked. + +#### Create an indicator for certificates from the settings page: + +>[!IMPORTANT] +> It can take up to 3 hours to create and remove a certificate IoC. + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the **Certificate** tab. + +3. Select **Add indicator**. + +4. Specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. + - Action - Specify the action to be taken and provide a description. + - Scope - Define the scope of the machine group. + +5. Review the details in the Summary tab, then click **Save**. ## Manage indicators @@ -163,8 +204,33 @@ You can also choose to upload a CSV file that defines the attributes of indicato Download the sample CSV to know the supported column attributes. +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the tab of the entity type you'd like to import indicators for. + +3. Select **Import** > **Choose file**. + +4. Select **Import**. Do this for all the files you'd like to import. + +5. Select **Done**. + +The following table shows the supported parameters. + +Parameter | Type | Description +:---|:---|:--- +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** +indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required** +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** +title | String | Indicator alert title. **Required** +description | String | Description of the indicator. **Required** +expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional** +severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** +recommendedActions | String | TI indicator alert recommended actions. **Optional** +rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** + + + ## Related topic - [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) - [Use the Microsoft Defender ATP indicators API](ti-indicator.md) - [Use partner integrated solutions](partner-applications.md) - diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index a4991649d4..b6eaffbafa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Microsoft Defender Advanced Threat Protection -description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise security platform that helps defend against advanced persistent threats. +description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats. keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,10 +23,10 @@ ms.topic: conceptual > > For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). -Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. +Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

        -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob] Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: @@ -67,6 +67,9 @@ Microsoft Defender ATP uses the following combination of technology built into W
        +

        + +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0] > [!TIP] > - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). @@ -84,7 +87,7 @@ The attack surface reduction set of capabilities provide the first line of defen -**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
        +**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
        To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index aa08dca96f..0a57598987 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -70,6 +70,8 @@ In general you need to take the following steps: - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md) - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md) +If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender ATP for Linux](linux-support-install.md). + ### System requirements - Supported Linux server distributions and versions: @@ -81,8 +83,11 @@ In general you need to take the following steps: - SUSE Linux Enterprise Server 12 or higher - Oracle Linux 7.2 or higher -- Minimum kernel version 2.6.38 +- Minimum kernel version 3.10.0-327 - The `fanotify` kernel option must be enabled + > [!CAUTION] + > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. + - Disk space: 650 MB - The solution currently provides real-time protection for the following file system types: @@ -109,7 +114,7 @@ The following table lists the services and their associated URLs that your netwo | United States | unitedstates.x.cp.wd.microsoft.com
        us-v20.events.data.microsoft.com
        ussus1eastprod.blob.core.windows.net 
        ussus1westprod.blob.core.windows.net | > [!NOTE] -> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server) +> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). Microsoft Defender ATP can discover a proxy server by using the following discovery methods: - Transparent proxy @@ -117,7 +122,12 @@ Microsoft Defender ATP can discover a proxy server by using the following discov If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md). -For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page. +> [!WARNING] +> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. +> +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. + +For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md). ## How to update Microsoft Defender ATP for Linux @@ -129,4 +139,4 @@ Guidance for how to configure the product in enterprise environments is availabl ## Resources -- For more information about logging, uninstalling, or other topics, see the [Resources](linux-resources.md) page. +- For more information about logging, uninstalling, or other topics, see [Resources](linux-resources.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index d5135bbd1c..fe71625482 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -74,16 +74,22 @@ The following table lists the services and their associated URLs that your netwo | Service location | DNS record | | ---------------------------------------- | ----------------------- | | Common URLs for all locations | x.cp.wd.microsoft.com
        cdn.x.cp.wd.microsoft.com
        eu-cdn.x.cp.wd.microsoft.com
        wu-cdn.x.cp.wd.microsoft.com
        officecdn-microsoft-com.akamaized.net
        crl.microsoft.com
        events.data.microsoft.com | -| European Union | europe.x.cp.wd.microsoft.com
        eu-v20.events.data.microsoft.com
        usseu1northprod.blob.core.windows.net 
        usseu1westprod.blob.core.windows.net | -| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
        uk-v20.events.data.microsoft.com
        ussuk1southprod.blob.core.windows.net 
        ussuk1westprod.blob.core.windows.net | -| United States | unitedstates.x.cp.wd.microsoft.com
        us-v20.events.data.microsoft.com
        ussus1eastprod.blob.core.windows.net 
        ussus1westprod.blob.core.windows.net | +| European Union | europe.x.cp.wd.microsoft.com
        eu-v20.events.data.microsoft.com
        usseu1northprod.blob.core.windows.net 
        usseu1westprod.blob.core.windows.net
        winatp-gw-weu.microsoft.com
        winatp-gw-neu.microsoft.com | +| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
        uk-v20.events.data.microsoft.com
        ussuk1southprod.blob.core.windows.net 
        ussuk1westprod.blob.core.windows.net
        winatp-gw-ukw.microsoft.com
        winatp-gw-uks.microsoft.com | +| United States | unitedstates.x.cp.wd.microsoft.com
        us-v20.events.data.microsoft.com
        ussus1eastprod.blob.core.windows.net 
        ussus1westprod.blob.core.windows.net
        winatp-gw-cus.microsoft.com
        winatp-gw-eus.microsoft.com | Microsoft Defender ATP can discover a proxy server by using the following discovery methods: +- Proxy auto-config (PAC) - Web Proxy Auto-discovery Protocol (WPAD) - Manual static proxy configuration If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. +> [!WARNING] +> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used. +> +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. + To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser. If you prefer the command line, you can also check the connection by running the following command in Terminal: diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index eed0fc1ca1..3bbf64e500 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -13,7 +13,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -24,12 +24,12 @@ ms.topic: conceptual There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink). ->[!TIP] ->- Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). ->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +> [!TIP] +> - Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). +> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## Licensing requirements Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: @@ -40,26 +40,35 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) -For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. +> [!NOTE] +> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. + +Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options: + +- [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node) +- Microsoft Defender ATP for Servers (one per covered Server) + +> [!NOTE] +> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux. + +For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559). -For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114). - - ## Browser requirements Access to Microsoft Defender ATP is done through a browser, supporting the following browsers: - Microsoft Edge - Internet Explorer version 11 -- Google Chrome +- Google Chrome ->[!NOTE] ->While other browsers might work, the mentioned browsers are the ones supported. +> [!NOTE] +> While other browsers might work, the mentioned browsers are the ones supported. ## Hardware and software requirements + ### Supported Windows versions - Windows 7 SP1 Enterprise - Windows 7 SP1 Pro @@ -67,6 +76,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo - Windows 8.1 Pro - Windows 10, version 1607 or later - Windows 10 Enterprise + - [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/) - Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education @@ -82,24 +92,25 @@ Machines on your network must be running one of these editions. The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported editions. > [!NOTE] -> Machines that are running mobile versions of Windows are not supported. +> Machines running mobile versions of Windows are not supported. ### Other supported operating systems -- macOSX -- Linux -- Android +- macOSX +- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux) ->[!NOTE] ->You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. +> [!NOTE] +> You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. +> +> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux. ### Network and data storage and configuration requirements When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. > [!NOTE] -> - You cannot change your data storage location after the first-time setup. -> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. +> - You cannot change your data storage location after the first-time setup. +> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. ### Diagnostic data settings @@ -131,12 +142,11 @@ By default, this service is enabled, but it's good practice to check to ensu If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start. - **Use the command line to set the Windows 10 diagnostic data service to automatically start:** 1. Open an elevated command-line prompt on the endpoint: - a. Go to **Start** and type **cmd**. + a. Go to **Start** and type **cmd**. b. Right-click **Command prompt** and select **Run as administrator**. @@ -153,44 +163,37 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the ``` - #### Internet connectivity Internet connectivity on machines is required either directly or through proxy. The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. -For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) . +For more information on additional proxy configuration settings, see [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md). Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. +## Microsoft Defender Antivirus configuration requirement +The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them. +You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). +When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. If your organization has disabled Microsoft Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy. -## Windows Defender Antivirus configuration requirement -The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. - -You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). - -When Windows Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy. - -If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). +If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). > [!NOTE] -> Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on. +> Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on. -For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled -If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard. +## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled +If you're running Microsoft Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard. -If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). +If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). - - - -## Related topic +## Related topics - [Validate licensing and complete setup](licensing.md) - [Onboard machines](onboard-configure.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 64488a550e..eb56826c55 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -27,7 +27,7 @@ ms.custom: asr Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -Network protection expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). +Network protection expands the scope of [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). Network protection is supported beginning with Windows 10, version 1709. @@ -44,11 +44,11 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection. +Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection. -Windows 10 version | Windows Defender Antivirus +Windows 10 version | Microsoft Defender Antivirus -|- -Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled ## Review network protection events in the Microsoft Defender ATP Security Center diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 6b17eb0031..5f38878dec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -66,7 +66,7 @@ Threat & Vulnerability Management helps customers prioritize and focus on those Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. -- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. +- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. - Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. @@ -84,10 +84,10 @@ Ensure that your machines: > Release | Security update KB number and link > :---|:--- -> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) -> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) -> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) -> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) +> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) +> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) +> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) - Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version. - Have at least one security recommendation that can be viewed in the machine page diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 5b7477d473..30538a9a58 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -34,7 +34,8 @@ Offboard machine from Microsoft Defender ATP. [!include[Machine actions note](../../includes/machineactionsnote.md)] >[!Note] -> This does not support offboarding macOS Devices. +> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later. +> This API is not supported on MacOS or Linux devices. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index 51d5efdc49..b1e6285e7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -34,7 +34,7 @@ #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) -### [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +### [Next generation protection](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) ### [Endpoint detection and response]() @@ -72,7 +72,7 @@ ###### [Initiate Automated Investigation](respond-machine-alerts.md#initiate-automated-investigation) ###### [Initiate Live Response Session](respond-machine-alerts.md#initiate-live-response-session) ###### [Collect investigation package from machines](respond-machine-alerts.md#collect-investigation-package-from-machines) -###### [Run Windows Defender Antivirus scan on machines](respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) +###### [Run Microsoft Defender Antivirus scan on machines](respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines) ###### [Restrict app execution](respond-machine-alerts.md#restrict-app-execution) ###### [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) ###### [Check activity details in Action center](respond-machine-alerts.md#check-activity-details-in-action-center) @@ -158,7 +158,7 @@ ###### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md) ###### [Attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md) ###### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) -##### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) +##### [Evaluate next generation protection](../microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md) ### [Access the Microsoft Defender Security Center Community Center](community.md) @@ -204,95 +204,95 @@ ### [Configure next generation protection]() -#### [Configure Windows Defender Antivirus features](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) +#### [Configure Microsoft Defender Antivirus features](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) #### [Utilize Microsoft cloud-delivered protection]() -##### [Understand cloud-delivered protection](../windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -##### [Enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) -##### [Specify the cloud-delivered protection level](../windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md) -##### [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) -##### [Enable Block at first sight](../windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) -##### [Configure the cloud block timeout period](../windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) +##### [Understand cloud-delivered protection](../microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +##### [Enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) +##### [Specify the cloud-delivered protection level](../microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md) +##### [Configure and validate network connections](../microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md) +##### [Enable Block at first sight](../microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md) +##### [Configure the cloud block timeout period](../microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) #### [Configure behavioral, heuristic, and real-time protection]() -##### [Configuration overview](../windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) -##### [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -##### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) +##### [Configuration overview](../microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md) +##### [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) +##### [Enable and configure always-on protection and monitoring](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) -#### [Antivirus on Windows Server 2016](../windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) +#### [Antivirus on Windows Server 2016](../microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md) #### [Antivirus compatibility]() -##### [Compatibility charts](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) -##### [Use limited periodic antivirus scanning](../windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md) +##### [Compatibility charts](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) +##### [Use limited periodic antivirus scanning](../microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md) #### [Deploy, manage updates, and report on antivirus]() -##### [Using Windows Defender Antivirus](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md) +##### [Using Microsoft Defender Antivirus](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md) ##### [Deploy and enable antivirus]() -###### [Preparing to deploy](../windows-defender-antivirus/deploy-windows-defender-antivirus.md) -###### [Deployment guide for VDI environments](../windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md) +###### [Preparing to deploy](../microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md) +###### [Deployment guide for VDI environments](../microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md) ##### [Report on antivirus protection]() -###### [Review protection status and aqlerts](../windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) -###### [Troubleshoot antivirus reporting in Update Compliance](../windows-defender-antivirus/troubleshoot-reporting.md) +###### [Review protection status and aqlerts](../microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) +###### [Troubleshoot antivirus reporting in Update Compliance](../microsoft-defender-antivirus/troubleshoot-reporting.md) ##### [Manage updates and apply baselines]() -###### [Learn about the different kinds of updates](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) -###### [Manage protection and Security intelligence updates](../windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) -###### [Manage when protection updates should be downloaded and applied](../windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) -###### [Manage updates for endpoints that are out of date](../windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) -###### [Manage event-based forced updates](../windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) -###### [Manage updates for mobile devices and VMs](../windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +###### [Learn about the different kinds of updates](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) +###### [Manage protection and Security intelligence updates](../microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) +###### [Manage when protection updates should be downloaded and applied](../microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) +###### [Manage updates for endpoints that are out of date](../microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) +###### [Manage event-based forced updates](../microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md) +###### [Manage updates for mobile devices and VMs](../microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) #### [Customize, initiate, and review the results of scans and remediation]() -##### [Configuration overview](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +##### [Configuration overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ##### [Configure and validate exclusions in antivirus scans]() -###### [Exclusions overview](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -###### [Configure antivirus exclusions Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure antivirus exclusions Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -##### [Configure antivirus scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) -##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md) +##### [Configure antivirus scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) +##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) +##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) +##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) +##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md) -#### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +#### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) #### [Manage antivirus in your business]() -##### [Management overview](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -##### [Use Group Policy settings to configure and manage antivirus](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -##### [Use PowerShell cmdlets to configure and manage antivirus](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) +##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) +##### [Use Group Policy settings to configure and manage antivirus](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) +##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +##### [Use PowerShell cmdlets to configure and manage antivirus](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) +##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) +##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) #### [Manage scans and remediation]() -##### [Management overview](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +##### [Management overview](../microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ##### [Configure and validate exclusions in antivirus scans]() -###### [Exclusions overview](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -###### [Configure antivirus exclusions on Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +###### [Exclusions overview](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](../microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure antivirus exclusions on Windows Server 2016](../microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -##### [Configure scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) -##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md) -##### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +##### [Configure scanning options](../microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) +##### [Configure remediation for scans](../microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +##### [Configure scheduled scans](../microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) +##### [Configure and run scans](../microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) +##### [Review scan results](../microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) +##### [Run and review the results of an offline scan](../microsoft-defender-antivirus/windows-defender-offline.md) +##### [Restore quarantined files](../microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) #### [Manage next generation protection in your business]() -##### [Management overview](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -##### [Use Group Policy settings to manage next generation protection](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -##### [Use PowerShell cmdlets to manage next generation protection](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) +##### [Management overview](../microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) +##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +##### [Use Group Policy settings to manage next generation protection](../microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) +##### [Use PowerShell cmdlets to manage next generation protection](../microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) +##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) +##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) @@ -525,4 +525,4 @@ #### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md) -### [Troubleshoot next generation protection issues](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) +### [Troubleshoot next generation protection issues](../microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index 5ac688bcec..8e7680a3be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -51,7 +51,7 @@ Microsoft Defender ATP integrates with System Center Endpoint Protection to prov The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting -- Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information, see [Allow connections to the Windows Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud) +- Configure your network to allow connections to the Microsoft Defender Antivirus cloud. For more information, see [Allow connections to the Microsoft Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud) ## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md index 0534d30935..1f798a3ece 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md @@ -30,14 +30,17 @@ To onboard machines without Internet access, you'll need to take the following g Windows Server 2016 and earlier or Windows 8.1 and earlier. > [!NOTE] -> An OMS gateway server can still be used as proxy for disconnected Windows 10 machines when configured via 'TelemetryProxyServer' registry or GPO. +> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 machines when configured via 'TelemetryProxyServer' registry or GPO. +> - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance. +> - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server. +> - For more information about updating CTLs offline, see (Configure a file or web server to download the CTL files)[https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files]. -For more information, see the following articles: +For more information about onboarding methods, see the following articles: - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel) - [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) - [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy) -## On-premise machines +## On-premises machines - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index c304bcfd54..37c447d3fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -30,7 +30,7 @@ Configure and manage all the Microsoft Defender ATP capabilities to get the best Topic | Description :---|:--- [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. -[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. +[Configure next generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. [Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP. [Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 3b7f738894..15f9de0423 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -73,39 +73,39 @@ below to onboard systems with Configuration Manager. 1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-device-collections.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-device-collections.png) 2. Right Click **Device Collection** and select **Create Device Collection**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-device-collection.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-device-collection.png) 3. Provide a **Name** and **Limiting Collection**, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-limiting-collection.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-limiting-collection.png) 4. Select **Add Rule** and choose **Query Rule**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-query-rule.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-query-rule.png) 5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-direct-membership.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-direct-membership.png) 6. Select **Criteria** and then choose the star icon. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-criteria.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-criteria.png) -7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**. +7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-simple-value.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-simple-value.png) 8. Select **Next** and **Close**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-membership-rules.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-membership-rules.png) 9. Select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-confirm.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-confirm.png) After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. @@ -119,11 +119,11 @@ Manager and deploy that policy to Windows 10 devices. -2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager **. +2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**. ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png) -3. Select **Download package**. +3. Select **Download package**. ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png) @@ -132,11 +132,11 @@ Manager and deploy that policy to Windows 10 devices. 6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-policy.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-policy.png) 7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-policy-name.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-policy-name.png) 8. Click **Browse**. @@ -179,108 +179,45 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W 3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. -Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed. +4. Install the Microsoft Monitoring Agent (MMA).
        + MMA is currently (as of January 2019) supported on the following Windows Operating + Systems: -Edit the InstallMMA.cmd with a text editor, such as notepad and update the -following lines and save the file: + - Server SKUs: Windows Server 2008 SP1 or Newer - ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png) + - Client SKUs: Windows 7 SP1 and later -Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file: + The MMA agent will need to be installed on Windows devices. To install the + agent, some systems will need to download the [Update for customer experience + and diagnostic + telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + in order to collect the data with MMA. These system versions include but may not + be limited to: - ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png) + - Windows 8.1 -Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating -Systems: + - Windows 7 -- Server SKUs: Windows Server 2008 SP1 or Newer + - Windows Server 2016 -- Client SKUs: Windows 7 SP1 and later + - Windows Server 2012 R2 -The MMA agent will need to be installed on Windows devices. To install the -agent, some systems will need to download the [Update for customer experience -and diagnostic -telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) -in order to collect the data with MMA. These system versions include but may not -be limited to: + - Windows Server 2008 R2 -- Windows 8.1 + Specifically, for Windows 7 SP1, the following patches must be installed: -- Windows 7 + - Install + [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) -- Windows Server 2016 + - Install either [.NET Framework + 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or + later) **or** + [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). + Do not install both on the same system. -- Windows Server 2012 R2 +5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. -- Windows Server 2008 R2 - -Specifically, for Windows 7 SP1, the following patches must be installed: - -- Install - [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - -- Install either [.NET Framework - 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or - later) **or** - [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). - Do not install both on the same system. - -To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps -below to utilize the provided batch files to onboard the systems. The CMD file -when executed, will require the system to copy files from a network share by the -System, the System will install MMA, Install the DependencyAgent, and configure -MMA for enrollment into the workspace. - - -1. In Microsoft Endpoint Configuration Manager console, navigate to **Software - Library**. - -2. Expand **Application Management**. - -3. Right-click **Packages** then select **Create Package**. - -4. Provide a Name for the package, then click **Next** - - ![Image of Microsoft Endpoint Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png) - -5. Verify **Standard Program** is selected. - - ![Image of Microsoft Endpoint Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png) - -6. Click **Next**. - - ![Image of Microsoft Endpoint Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png) - -7. Enter a program name. - -8. Browse to the location of the InstallMMA.cmd. - -9. Set Run to **Hidden**. - -10. Set **Program can run** to **Whether or not a user is logged on**. - -11. Click **Next**. - -12. Set the **Maximum allowed run time** to 720. - -13. Click **Next**. - - ![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png) - -14. Verify the configuration, then click **Next**. - - ![Image of Microsoft Endpoint Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png) - -15. Click **Next**. - -16. Click **Close**. - -17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP - Onboarding Package just created and select **Deploy**. - -18. On the right panel select the appropriate collection. - -19. Click **OK**. +Once completed, you should see onboarded endpoints in the portal within an hour. ## Next generation protection Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. @@ -297,7 +234,7 @@ Microsoft Defender Antivirus is a built-in antimalware solution that provides ne needs on how Antivirus is configured. - [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) + [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 4fda24160f..e949cd7986 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -27,14 +27,18 @@ ms.topic: conceptual Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. + +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug] + + Article | Description -|- -[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus). -[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. +[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus). +[Hardware-based isolation](../microsoft-defender-application-guard/md-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. [Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. -[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) +[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus) [Web protection](./web-protection-overview.md) | Secure your machines against web threats and help you regulate unwanted content. -[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) +[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus) [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. [Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 261734d68b..0d13fe8b36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -28,6 +28,8 @@ Microsoft Defender ATP endpoint detection and response capabilities provide adva When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4o1j5] + Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. The response capabilities give you the power to promptly remediate threats by acting on the affected entities. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md index 344d125399..7b7ae31f81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md @@ -25,6 +25,6 @@ Hardware-based isolation helps protect system integrity in Windows 10 and is int | Feature | Description | |------------|-------------| -| [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. | +| [Windows Defender Application Guard](../microsoft-defender-application-guard/md-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. | | [Windows Defender System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index ceb8637a40..96e8c08aa9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -22,54 +22,53 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. +Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches. You can use [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: + - View, sort, and triage alerts from your endpoints - Search for more information on observed indicators such as files and IP Addresses -- Change Microsoft Defender ATP settings, including time zone and review licensing information. +- Change Microsoft Defender ATP settings, including time zone and review licensing information ## Microsoft Defender Security Center -When you open the portal, you’ll see the main areas of the application: - ![Microsoft Defender Advanced Threat Protection portal](images/dashboard.png) +When you open the portal, you'll see: -- (1) Navigation pane -- (2) Main portal -- (3) Search, Community center, Time settings, Help and support, Feedback +- (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it) +- (2) Search, Community center, Localization, Help and support, Feedback + + ![Microsoft Defender Advanced Threat Protection portal](images/mdatp-portal-overview.png) > [!NOTE] -> Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product. +> Malware related detections will only appear if your machines are using Microsoft Defender Antivirus as the default real-time protection antimalware product. You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. Area | Description :---|:--- -**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Interoperability**, **Threat & vulnerability management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. -**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard. +**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it. +**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, machines at risk, users at risk, machines with sensor issues, service health, detection sources, and daily machines reporting dashboards. **Incidents** | View alerts that have been aggregated as incidents. -**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts. +**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels. **Alerts queue** | View alerts generated from machines in your organizations. -**Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation. +**Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation. **Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. -**Reports** | View graphs detailing alert trends over time, and alert summary charts categorizing threats by severity, status, and attack approach -**Interoperability** | Lists supported partner applications that can work together with Microsoft Defender, as well as applications that are already connected to Microsoft Defender. +**Reports** | View graphs detailing threat protection, machine health and compliance, web protection, and vulnerability. +**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings. **Threat & Vulnerability management** | View your configuration score, exposure score, exposed machines, vulnerable software, and take action on top security recommendations. -**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walkthrough in a trial environment. -**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. -**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, and allows you to perform attack surface management on your machines. -**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard. -**(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list. -**(3) Community center, Localization, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product.

        **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information.

        **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support.

        **Feedback** - Access the feedback button to provide comments about the portal. +**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment. +**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. +**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your machines. +**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, machine management, IT service management, and network assessments. +**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by machine, file, user, URL, IP, vulnerability, software, and recommendation.

        **Community center** - Access the Community center to learn, collaborate, and share experiences about the product.

        **Localization** - Set time zones.

        **Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert.

        **Feedback** - Provide comments about what you like or what we can do better. > [!NOTE] > For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions. ## Microsoft Defender ATP icons + The following table provides information on the icons used all throughout the portal: Icon | Description @@ -82,7 +81,7 @@ Icon | Description ![Not remediated icon](images/not-remediated-icon.png)| Not remediated – Threat not removed from the machine. ![Thunderbolt icon](images/atp-thunderbolt-icon.png)| Indicates events that triggered an alert in the **Alert process tree**. ![Machine icon](images/atp-machine-icon.png)| Machine icon -![Windows Defender AV events icon](images/atp-windows-defender-av-events-icon.png)| Windows Defender Antivirus events +![Microsoft Defender AV events icon](images/atp-windows-defender-av-events-icon.png)| Microsoft Defender Antivirus events ![Application Guard events icon](images/atp-Application-Guard-events-icon.png)| Windows Defender Application Guard events ![Device Guard events icon](images/atp-Device-Guard-events-icon.png)| Windows Defender Device Guard events ![Exploit Guard events icon](images/atp-Exploit-Guard-events-icon.png)| Windows Defender Exploit Guard events @@ -105,22 +104,23 @@ Icon | Description ![Memory allocation icon](images/atp-memory-allocation-icon.png)| Memory allocation ![Process injection icon](images/atp-process-injection.png)| Process injection ![Powershell command run icon](images/atp-powershell-command-run-icon.png)| Powershell command run -![Community center icon](images/atp-community-center.png) | Community center +![Community center icon](images/atp-community-center.png) | Community center ![Notifications icon](images/atp-notifications.png) | Notifications ![No threats found](images/no-threats-found.png) | Automated investigation - no threats found ![Failed icon](images/failed.png) | Automated investigation - failed ![Partially remediated icon](images/partially-investigated.png) | Automated investigation - partially investigated -![Termindated by system](images/terminated-by-system.png) | Automated investigation - terminated by system +![Terminated by system](images/terminated-by-system.png) | Automated investigation - terminated by system ![Pending icon](images/pending.png) | Automated investigation - pending ![Running icon](images/running.png) | Automated investigation - running -![Remediated icon](images/remediated.png) | Automated investigation - remediated +![Remediated icon](images/remediated.png) | Automated investigation - remediated ![Partially investigated icon](images/partially_remediated.png) | Automated investigation - partially remediated ![Threat insights icon](images/tvm_bug_icon.png) | Threat & Vulnerability Management - threat insights -![Possible active alert icon](images/tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert +![Possible active alert icon](images/tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert ![Recommendation insights icon](images/tvm_insight_icon.png) | Threat & Vulnerability Management - recommendation insights ## Related topics -- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) + +- [Overview of Microsoft Defender Security Center](use.md) - [View the Security operations dashboard](security-operations-dashboard.md) - [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index b865033486..b4b27d638f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -71,6 +71,7 @@ description | String | Description of the indicator. **Required** expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional** severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional** recommendedActions | String | TI indicator alert recommended actions. **Optional** +rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** ## Response @@ -87,16 +88,18 @@ Here is an example of the request. POST https://api.securitycenter.windows.com/api/indicators Content-type: application/json { - "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", - "indicatorType": "FileSha1", - "title": "test", - "application": "demo-test", - "expirationTime": "2020-12-12T00:00:00Z", - "action": "AlertAndBlock", - "severity": "Informational", - "description": "test", - "recommendedActions": "nothing" + "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "application": "demo-test", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "nothing", + "rbacGroupNames": ["group1", "group2"] } +``` ## Related topic - [Manage indicators](manage-indicators.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index 2436a0642e..343d68bc0f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -170,12 +170,12 @@ how the endpoint security suite should be enabled. | Component | Description | Adoption Order Rank | |-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| -| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 | -| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes: | 2 | -| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 3 | -| Threat & Vulnerability Management (TVM) | Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: | 4 | -| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable | -| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable | +| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 | +|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
        - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
        - Invaluable machine vulnerability context during incident investigations
        - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
        [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 | +| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
        -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
        - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
        - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
        [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 | +| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 | +| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable | +| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
        [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable | ## Next step ||| diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index c55fe2642d..8eb9582866 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -29,6 +29,9 @@ The Microsoft Defender ATP service is constantly being updated to include new fe Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +>[!TIP] +>Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us` + For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md). ## Turn on preview features @@ -44,9 +47,11 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
        Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux. +- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
        Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. -- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
        Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. +- [Create indicators for certificates](manage-indicators.md)
        Create indicators to allow or block certificates. + +- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
        Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux. - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
        Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.

        Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. See [Secure Configuration Assessment (SCA) for Windows Server now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-configuration-assessment-sca-for-windows-server-now-in/ba-p/1243885) and [Reducing risk with new Threat & Vulnerability Management capabilities](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/reducing-risk-with-new-threat-amp-vulnerability-management/ba-p/978145) blogs for more information. diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 4fabe73b03..fc6cb7176a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -57,7 +57,7 @@ In this deployment scenario, you'll be guided through the steps on: >[!NOTE] ->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md). +>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md). ## Check license state @@ -144,6 +144,9 @@ Appendix section in this document for the URLs Whitelisting or on [Microsoft Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). +> [!NOTE] +> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus). + **Manual static proxy configuration:** - Registry based configuration @@ -198,9 +201,9 @@ Use netsh to configure a system-wide static proxy. 1. Open an elevated command-line: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. 2. Enter the following command and press **Enter**: @@ -228,7 +231,7 @@ needed if the machine is on Windows 10, version 1803 or later. Service location | Microsoft.com DNS record -|- -Common URLs for all locations | ```crl.microsoft.com```
        ```ctldl.windowsupdate.com```
        ```events.data.microsoft.com```
        ```notify.windows.com```
        ```settings-win.data.microsoft.com``` +Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```
        ```ctldl.windowsupdate.com```
        ```www.microsoft.com/pkiops/*```
        ```events.data.microsoft.com```
        ```notify.windows.com```
        ```settings-win.data.microsoft.com``` European Union | ```eu.vortex-win.data.microsoft.com```
        ```eu-v20.events.data.microsoft.com```
        ```usseu1northprod.blob.core.windows.net```
        ```usseu1westprod.blob.core.windows.net```
        ```winatp-gw-neu.microsoft.com```
        ```winatp-gw-weu.microsoft.com```
        ```wseu1northprod.blob.core.windows.net```
        ```wseu1westprod.blob.core.windows.net``` United Kingdom | ```uk.vortex-win.data.microsoft.com```
        ```uk-v20.events.data.microsoft.com```
        ```ussuk1southprod.blob.core.windows.net```
        ```ussuk1westprod.blob.core.windows.net```
        ```winatp-gw-uks.microsoft.com```
        ```winatp-gw-ukw.microsoft.com```
        ```wsuk1southprod.blob.core.windows.net```
        ```wsuk1westprod.blob.core.windows.net``` United States | ```us.vortex-win.data.microsoft.com```
        ```ussus1eastprod.blob.core.windows.net```
        ```ussus1westprod.blob.core.windows.net```
        ```ussus2eastprod.blob.core.windows.net```
        ```ussus2westprod.blob.core.windows.net```
        ```ussus3eastprod.blob.core.windows.net```
        ```ussus3westprod.blob.core.windows.net```
        ```ussus4eastprod.blob.core.windows.net```
        ```ussus4westprod.blob.core.windows.net```
        ```us-v20.events.data.microsoft.com```
        ```winatp-gw-cus.microsoft.com```
        ```winatp-gw-eus.microsoft.com```
        ```wsus1eastprod.blob.core.windows.net```
        ```wsus1westprod.blob.core.windows.net```
        ```wsus2eastprod.blob.core.windows.net```
        ```wsus2westprod.blob.core.windows.net``` @@ -253,9 +256,9 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). > [!NOTE] -> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. +> As a cloud-based solution, the IP address range can change. It's recommended you move to DNS resolving setting. ## Next step ||| |:-------|:-----| -|![Phase 3: Onboard](images/onboard.png)
        [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them +|![Phase 3: Onboard](images/onboard.png)
        [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender ATP service can get sensor data from them. diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index e52e94be42..c55c6e231f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -27,8 +27,9 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API. @@ -175,7 +176,7 @@ Here is an example return value: ## Code examples ### Get access token -The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API. +The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender ATP SIEM API. ```csharp AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantId)); @@ -183,19 +184,114 @@ ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret AuthenticationResult authenticationResult = context.AcquireTokenAsync(detectionsResource, clientCredentials).GetAwaiter().GetResult(); ``` -### Use token to connect to the detections endpoint +```PowerShell +#Get current working directory +$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent +#Paste below your Tenant ID, App ID and App Secret (App key). +$tenantId = '' ### Paste your tenant ID here +$appId = '' ### Paste your Application ID here +$appSecret = '' ### Paste your Application secret here + +$resourceAppIdUri = 'https://graph.windows.net' +$oAuthUri = "https://login.windows.net/$tenantId/oauth2/token" +$authBody = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} + +#call API +$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop +$authResponse +Out-File -FilePath "$scriptDir\LatestSIEM-token.txt" -InputObject $authResponse.access_token ``` + +```Bash +tenantId='' ### Paste your tenant ID here +appId='' ### Paste your Application ID here +appSecret='' ### Paste your Application secret here +resourceAppIdUri='https://graph.windows.net' +oAuthUri="https://login.windows.net/$tenantId/oauth2/token" +scriptDir=$(pwd) + +apiResponse=$(curl -s X POST "$oAuthUri" -d "resource=$resourceAppIdUri&client_id=$appId&client_secret=$appSecret&\ + grant_type=client_credentials" | cut -d "{" -f2 | cut -d "}" -f1) +IFS="," +apiResponseArr=($apiResponse) +IFS=":" +tokenArr=(${apiResponseArr[6]}) +echo ${tokenArr[1]} | cut -d "\"" -f2 | cut -d "\"" -f1 >> $scriptDir/LatestSIEM-token.txt +``` + +### Use token to connect to the detections endpoint +The following code examples demonstrate how to use an access token for calling the Microsoft Defender ATP SIEM API to get alerts. + +```csharp HttpClient httpClient = new HttpClient(); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken); HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult(); string detectionsJson = response.Content.ReadAsStringAsync().Result; Console.WriteLine("Got detections list: {0}", detectionsJson); - ``` +```PowerShell +#Get current working directory +$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent +#run the script Get-Token.ps1 - make sure you are running this script from the same folder of Get-SIEMToken.ps1 +$token = Get-Content "$scriptDir\LatestSIEM-token.txt" +#Get Alert from the last xx hours 200 in this example. Make sure you have alerts in that time frame. +$dateTime = (Get-Date).ToUniversalTime().AddHours(-200).ToString("o") + +#test SIEM API +$url = 'https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000' + +#Set the WebRequest headers +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $token" +} + +#Send the webrequest and get the results. +$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop +$response +Write-Host + +#Extract the alerts from the results. This works for SIEM API: +$alerts = $response.Content | ConvertFrom-Json | ConvertTo-Json + +#Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file +$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."} + +#Save the result as json and as csv +$outputJsonPath = "$scriptDir\Latest Alerts $dateTimeForFileName.json" +$outputCsvPath = "$scriptDir\Latest Alerts $dateTimeForFileName.csv" + +Out-File -FilePath $outputJsonPath -InputObject $alerts +Get-Content -Path $outputJsonPath -Raw | ConvertFrom-Json | Select-Object -ExpandProperty value | Export-CSV $outputCsvPath -NoTypeInformation +``` + +```Bash +#Get current working directory +scriptDir=$(pwd) + +#get the token +token=$(<$scriptDir/LatestSIEM-token.txt) + +#test the SIEM API, get alerts since 1/1/2020 +url='https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000' + +#send web requst to API and echo JSON content +apiResponse=$(curl -s X GET "$url" -H "Content-Type: application/json" -H "Accept: application/json"\ + -H "Authorization: Bearer $token" | cut -d "[" -f2 | cut -d "]" -f1) +echo "If you see Alert info in JSON format, congratulations you accessed the MDATP SIEM API!" +echo +echo $apiResponse +``` ## Error codes The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request. diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 9213bd067e..408df1d9a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -62,7 +62,7 @@ You can contain an attack in your organization by stopping the malicious process > > - The machine you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft -> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +> - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys. @@ -136,7 +136,7 @@ You can prevent further propagation of an attack in your organization by banning >[!IMPORTANT] > ->- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +>- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). > >- The Antimalware client version must be 4.18.1901.x or later. >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. @@ -211,7 +211,7 @@ Results of deep analysis are matched against threat intelligence and any matches Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis. diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 6a3f13571d..7d64a9e1f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -97,7 +97,7 @@ The package contains the following folders: |:---|:---------| |Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine.

        NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | |Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | -|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

        - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

        - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

        ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

        - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

        - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

        - FirewassExecutionLog.txt and pfirewall.log | +|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

        - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

        - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

        ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

        - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

        - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

        - FirewallExecutionLog.txt and pfirewall.log | | Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

        - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

        - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | | Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | | Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | @@ -110,19 +110,19 @@ The package contains the following folders: |WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab | | CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. | -## Run Windows Defender Antivirus scan on machines +## Run Microsoft Defender Antivirus scan on machines As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. >[!IMPORTANT] >- This action is available for machines on Windows 10, version 1709 or later. ->- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +>- A Microsoft Defender Antivirus (Microsoft Defender AV) scan can run alongside other antivirus solutions, whether Microsoft Defender AV is the active antivirus solution or not. Microsoft Defender AV can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan. ![Image of notification to select quick scan or full scan and add comment](images/run-antivirus.png) -The Action center will show the scan information and the machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan. +The Action center will show the scan information and the machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan. ## Restrict app execution @@ -130,7 +130,7 @@ In addition to containing an attack by stopping malicious processes, you can als >[!IMPORTANT] > - This action is available for machines on Windows 10, version 1709 or later. -> - This feature is available if your organization uses Windows Defender Antivirus. +> - This feature is available if your organization uses Microsoft Defender Antivirus. > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index 10a0f81607..3df06ec29a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -24,7 +24,7 @@ ms.topic: article ## API description -Initiate Windows Defender Antivirus scan on a machine. +Initiate Microsoft Defender Antivirus scan on a machine. ## Limitations diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 2251ec4e49..b3955f8794 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -30,20 +30,20 @@ ms.topic: article Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. -1. Create a folder: 'C:\test-WDATP-test'. +1. Create a folder: 'C:\test-MDATP-test'. 2. Open an elevated command-line prompt on the machine and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command Prompt** and select **Run as administrator**. + 1. Right-click **Command Prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 3. At the prompt, copy and run the following command: - ``` - powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe' - ``` + ```powershell + powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' + ``` The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes. diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md index e473635682..2dfdb89168 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md @@ -39,7 +39,7 @@ Run antivirus scan | Remotely initiate an antivirus scan to help identify and re Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys. Request sample | Run this call to request a sample of a file from a specific machine. The file will be collected from the machine and uploaded to a secure storage. Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. -Unblock file | Allow a file run in the organization using Windows Defender Antivirus. +Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus. Get package SAS URI | Run this to get a URI that allows downloading an investigation package. Get MachineAction object | Run this to get MachineAction object. Get MachineActions collection | Run this to get MachineAction collection. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 8464786570..d5491f5b3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -29,8 +29,10 @@ ms.topic: article ## APIs -Threat and vulnerability management supports multiple APIs. See the following topics for related APIs: +Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). +See the following topics for related APIs: +- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) - [Machine APIs](machine.md) - [Recommendation APIs](vulnerability.md) - [Score APIs](score.md) @@ -97,15 +99,16 @@ After you have identified which software and software versions are vulnerable du ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [Advanced hunting overview](overview-hunting.md) - [All advanced hunting tables](advanced-hunting-reference.md) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 8e4d732734..8342b664ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -1,6 +1,6 @@ --- title: Indicator resource type -description: Indicator entity description. +description: Specify the entity details and define the expiration of the indicator using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, supported apis, get, TiIndicator, Indicator, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md index 34dcdcc230..cce2177013 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Security Center time zone settings -description: Use the menu to configure the time zone and view license information. -keywords: settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license +description: Use the info contained here to configure the Microsoft Defender Security Center time zone settings and view license information. +keywords: settings, Microsoft Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index ed130a1720..8f87ff3707 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -46,9 +46,9 @@ Attack surface reduction rules will only work on devices with the following cond - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update). -- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -- [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. +- [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md index 31804e546b..ea417b545a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md @@ -42,7 +42,7 @@ See the topic [Review events and errors using Event Viewer](event-error-codes.md If onboarding machines successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. -For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). +For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). ## Known issues with regional formats diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 9c2e5cfdff..12ce265639 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -43,9 +43,9 @@ Network protection will only work on devices with the following conditions: >[!div class="checklist"] > * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). -> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). -> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. -> * [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. +> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. +> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. > * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). ## Use audit mode diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 56a0d71130..0628b4a46e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -88,5 +88,4 @@ crl.microsoft.com` - `https://static2.sharepointonline.com` -## Related topics -- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index e4cd47a5a8..c8c682d83f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -13,7 +13,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting --- @@ -42,6 +42,7 @@ If the script completes successfully, see [Troubleshoot onboarding issues on the ### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager When onboarding machines using the following versions of Configuration Manager: +- Microsoft Endpoint Configuration Manager - System Center 2012 Configuration Manager - System Center 2012 R2 Configuration Manager @@ -68,9 +69,9 @@ If the script fails and the event is an error, you can check the event ID in the Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. -10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
        ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
        Verify that the script was ran as an administrator. +10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
        ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
        Verify that the script has been run as an administrator. 15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

        If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. -15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. +15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Microsoft Defender Antivirus ELAM driver, see [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
        ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
        The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). 40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). @@ -79,7 +80,7 @@ Event ID | Error Type | Resolution steps ### Troubleshoot onboarding issues using Microsoft Intune You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. -If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. +If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. Use the following tables to understand the possible causes of issues while onboarding: @@ -87,7 +88,7 @@ Use the following tables to understand the possible causes of issues while onboa - Known issues with non-compliance table - Mobile Device Management (MDM) event logs table -If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. +If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. **Microsoft Intune error codes and OMA-URIs**: @@ -130,7 +131,7 @@ If the deployment tools used does not indicate an error in the onboarding proces - [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) - [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection) -- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) +- [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) ### View agent onboarding errors in the machine event log @@ -140,7 +141,7 @@ If the deployment tools used does not indicate an error in the onboarding proces 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. + > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. 3. Select **Operational** to load the log. @@ -243,7 +244,7 @@ To ensure that sensor has service connectivity, follow the steps described in th If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic. -### Ensure that Windows Defender Antivirus is not disabled by a policy +### Ensure that Microsoft Defender Antivirus is not disabled by a policy **Problem**: The Microsoft Defender ATP service does not start after onboarding. **Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service. @@ -266,7 +267,7 @@ If the verification fails and your environment is using a proxy to connect to th 1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```. 2. Ensure that the value ```DisableAntiSpyware``` is not present. - ![Image of registry key for Windows Defender Antivirus](images/atp-disableantispyware-regkey.png) + ![Image of registry key for Microsoft Defender Antivirus](images/atp-disableantispyware-regkey.png) ## Troubleshoot onboarding issues on a server @@ -282,28 +283,125 @@ You might also need to check the following: - Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. -- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, +- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, ![Image of Services](images/atp-services.png) -- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. +- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) -- Check to see that machines are reflected in the **Machines list** in the portal. +- Check to see that machines are reflected in the **Machines list** in the portal. + +## Confirming onboarding of newly built machines +There may be instances when onboarding is deployed on a newly built machine but not completed. + +The steps below provide guidance for the following scenario: +- Onboarding package is deployed to newly built machines +- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed +- Machine is turned off or restarted before the end user performs a first logon +- In this scenario, the SENSE service will not start automatically even though onboarding package was deployed + +>[!NOTE] +>The following steps are only relevant when using Microsoft Endpoint Configuration Manager -## Licensing requirements -Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: +1. Create an application in Microsoft Endpoint Configuration Manager. -- Windows 10 Enterprise E5 -- Windows 10 Education E5 -- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-1.png) -For more information, see [Windows 10 Licensing](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx#tab=2). +2. Select **Manually specify the application information**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-2.png) +3. Specify information about the application, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-3.png) + +4. Specify information about the software center, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-4.png) + +5. In **Deployment types** select **Add**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-5.png) + +6. Select **Manually specify the deployment type information**, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-6.png) + +7. Specify information about the deployment type, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-7.png) + +8. In **Content** > **Installation program** specify the command: `net start sense`. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-8.png) + +9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-9.png) + +10. Specify the following detection rule details, then select **OK**: + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-10.png) + +11. In **Detection method** select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-11.png) + +12. In **User Experience**, specify the following information, then select **Next**: + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-12.png) + +13. In **Requirements**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-13.png) + +14. In **Dependencies**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-14.png) + +15. In **Summary**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-15.png) + +16. In **Completion**, select **Close**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-16.png) + +17. In **Deployment types**, select **Next**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-17.png) + +18. In **Summary**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-18.png) + + The status is then displayed + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-19.png) + +19. In **Completion**, select **Close**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-20.png) + +20. You can now deploy the application by right-clicking the app and selecting **Deploy**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-21.png) + +21. In **General** select **Automatically distribute content for dependencies** and **Browse**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-22.png) + +22. In **Content** select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-23.png) + +23. In **Deployment settings**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-24.png) + +24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-25.png) + +25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-26.png) + +26. In **Alerts** select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-27.png) + +27. In **Summary**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-28.png) + + The status is then displayed + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-29.png) + +28. In **Completion**, select **Close**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-30.png) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index e35d189282..05264dcf03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,5 +1,5 @@ --- -title: Threat & Vulnerability Management dashboard overview +title: Threat & Vulnerability Management dashboard insights description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score search.appverid: met150 @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Threat & Vulnerability Management dashboard overview +# Threat & Vulnerability Management dashboard insights **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 3078eee09f..023e88ad09 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -49,26 +49,7 @@ You can remediate the issues based on prioritized [security recommendations](tvm ## Reduce your threat and vulnerability exposure -To lower your threat and vulnerability exposure, follow these steps. - -1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) , and select the first item on the list. The **Security recommendation** page opens. - - Always prioritize recommendations that are associated with ongoing threats: - - - ![Threat insight](images/tvm_bug_icon.png) Threat insight icon - - ![Possible active alert](images/tvm_alert_icon.png) Active alert icon - - ![Screenshot of security recommendations page](images/top-security-recommendations350.png) - -2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. ![Details in security recommendations page](images/tvm_security_recommendations_page.png) - -3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png) - -4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Details in machine page](images/tvm_machine_page_details.png) - -5. Allow a few hours for the changes to propagate in the system. - -6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases. +Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 7dfa480444..239b7afd31 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -32,48 +32,35 @@ Lower your organization's exposure from vulnerabilities and increase your securi ## Navigate to the Remediation page -You can access the remediation page though the navigation menu, and top remediation activities in the dashboard. +You can access the Remediation page a few different ways: + +- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Top remediation activities card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) ### Navigation menu -Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. Select the remediation activity that you want to view. -![Screenshot of the remediation page flyout for a software which reached end-of-support](images/remediation_flyouteolsw.png) +Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. ### Top remediation activities in the dashboard View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task. +![Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.](images/tvm-remediation-activities-card.png) + ## Remediation activities When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune. +Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. +![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and machine remediation progress.](images/remediation_flyouteolsw.png) + ## Exceptions -You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md). - -[File for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md). - -### Exception justification - -If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options: - -- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus -- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow -- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive -- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization -- **Other** - False positive - -![Screenshot of exception reason dropdown menu](images/tvm-exception-dropdown.png) - -### Where to find exceptions +When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md). The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. -![Screenshot of exception tab and filters](images/tvm-exception-filters.png) - -You can also select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. Selecting the link opens a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. - -![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard](images/tvm-exception-dashboard.png) +![Example of the exception page and filter options.](images/tvm-exception-filters.png) ### Exception actions and statuses @@ -98,7 +85,13 @@ Creating an exception can potentially affect the Exposure Score (for both types The exception impact shows on both the Security recommendations page column and in the flyout pane. -![Screenshot of where to find the exception impact](images/tvm-exception-impact.png) +![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png) + +### View exceptions in other places + +Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard to open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. + +![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 683aa6e7a0..16f53d738f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -23,7 +23,7 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -31,7 +31,7 @@ Cybersecurity weaknesses identified in your organization are mapped to actionabl Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. -## Criteria +## How it works Each machine in the organization is scored based on three important factors to help customers to focus on the right things at the right time. @@ -41,9 +41,17 @@ Each machine in the organization is scored based on three important factors to h - **Business value** - Your organization's assets, critical processes, and intellectual properties -## Navigate to security recommendations +## Navigate to the Security recommendations page -You can access security recommendations from the Microsoft Defender ATP Threat & Vulnerability Management navigation menu, dashboard, software page, and machine page. +Access the Security recommendations page a few different ways: + +- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Top security recommendations in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) + +View related security recommendations in the following places: + +- Software page +- Machine page ### Navigation menu @@ -53,7 +61,7 @@ Go to the Threat & Vulnerability Management navigation menu and select **Securit In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. -![Screenshot of security recommendations page](images/top-security-recommendations350.png) +![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png) The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation. @@ -63,21 +71,21 @@ View recommendations, the number of weaknesses found, related components, threat The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green. -![Screenshot of security recommendations page](images/tvmsecrec-updated.png) +![Example of the landing page for security recommendations.](images/tvmsecrec-updated.png) ### Icons -Useful icons also quickly calls your attention to:
        • ![Possible active alert](images/tvm_alert_icon.png) possible active alerts
        • ![Threat insight](images/tvm_bug_icon.png) associated public exploits
        • ![Recommendation insight](images/tvm_insight_icon.png) recommendation insights

        +Useful icons also quickly calls your attention to:
        • ![arrow hitting a target](images/tvm_alert_icon.png) possible active alerts
        • ![red bug](images/tvm_bug_icon.png) associated public exploits
        • ![light bulb](images/tvm_insight_icon.png) recommendation insights

        ### Investigate Select the security recommendation that you want to investigate or process. -![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png) +![Example of a security recommendation flyout page.](images/secrec-flyouteolsw.png) From the flyout, you can do any of the following: -- **Open software page** - Open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-support, and charts of the exposure trend over time. +- **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. - **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. @@ -122,11 +130,17 @@ Exceptions can be created for both Security update and Configuration change reco When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. 1. Select a security recommendation you would like create an exception for, and then **Exception options**. -![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png) +![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) 2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. -> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png) + The following list details the justifications behind the exception options: + + - **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus + - **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow + - **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive + - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization + - **Other** - False positive 3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. @@ -140,15 +154,12 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 2. Select the three dots beside the security recommendation that you want to report, then select **Report inaccuracy**. -![Screenshot of Report inaccuracy control](images/report-inaccuracy500.png) +![Showing where the "Report inaccuracy" button is in a security recommendation flyout.](images/report-inaccuracy500.png) 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. -![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png) - 4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. - ## Related topics - [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index c56539dc1b..7ac4761b32 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -23,55 +23,67 @@ ms.topic: conceptual >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -[!include[Prerelease information](../../includes/prerelease.md)] - Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it. -## Navigate through your software inventory - -1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. -![Screenshot of software inventory page](images/software_inventory_filter.png) - -2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**. - -3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. - ## How it works -In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment. +In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md). Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available. +## Navigate to the Software inventory page + +You can access the Software inventory page by selecting **Software inventory** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). + +View software on specific machines in the individual machines pages from the [machines list](machines-view-overview.md). + +## Software inventory overview + +The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. +![Example of the landing page for software inventory.](images/software_inventory_filter.png) + +Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**. + +![Flyout example page of "Visual Studio 2017" from the software inventory page.](images/tvm-software-inventory-flyout500.png) + +## Software pages + +Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information: + +- Side panel with vendor information, prevalence of the software in the organization (including number of machines it is installed on, and exposed machines that are not patched), whether and exploit is available, and impact to your exposure score +- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed machines +- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the machines that the software is installed on, and the specific versions of the software with the number of machines that have each version installed and number of vulnerabilities. + +![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png) + +## Software evidence + +We now show evidence of where we detected a specific software on a machine from the registry, disk or both. +You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence." + +From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. + +![Software evidence example of Windows 10 from the machines list, showing software evidence registry path.](images/tvm-software-evidence.png) + ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page. - -1. Select one of the software rows. A flyout will appear. - -2. Select "Report inaccuracy" in the flyout - -![Screenshot of Report inaccuracy control](images/software-inventory-report-inaccuracy500.png) +You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information. +1. Open the software flyout on the Software inventory page. +2. Select **Report inaccuracy**. 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. - -![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png) - 4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Security recommendation](tvm-security-recommendation.md) +- [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Recommendation APIs](vulnerability.md) -- [Machine APIs](machine.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index d7cad2e5aa..64933d374c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -34,14 +34,14 @@ Windows 7 | Operating System (OS) vulnerabilities Windows 8.1 | Not supported Windows 10 1607-1703 | Operating System (OS) vulnerabilities Windows 10 1709+ |Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment -Windows Server 2008R2 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment -Windows Server 2012R2 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment +Windows Server 2008 R2 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment +Windows Server 2012 R2 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment Windows Server 2016 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment Windows Server 2019 | Operating System (OS) vulnerabilities
        Software product vulnerabilities
        Operating System (OS) configuration assessment
        Security controls configuration assessment
        Software product configuration assessment MacOS | Not supported (planned) Linux | Not supported (planned) -Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) list. +Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 37bfee2589..4b7a5cb97e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -27,14 +27,7 @@ ms.topic: conceptual Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. -The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights. - -You can access the list of vulnerabilities in a few places in the portal: - -- Global search -- Weaknesses option in the navigation menu -- Top vulnerable software widget in the dashboard -- Discovered vulnerabilities page in the machine page +The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights. >[!IMPORTANT] >To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: @@ -45,7 +38,27 @@ You can access the list of vulnerabilities in a few places in the portal: ## Navigate to the Weaknesses page -When new vulnerabilities are released, you can find out how many of your assets are exposed in the **Weaknesses** page of the Threat & Vulnerability Management navigation menu. If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization. +Access the Weaknesses page a few different ways: + +- Selecting **Weaknesses** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Global search + +### Navigation menu + +Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open the list of CVEs. + +### Vulnerabilities in global search + +1. Go to the global search drop-down menu. +2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for. +![Global search box with the dropdown option "vulnerability" selected and an example CVE.](images/tvm-vuln-globalsearch.png) +3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates. + +To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search. + +## Weaknesses overview + +If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization. ![tvm-breach-insights](images/tvm-weaknesses-overview.png) @@ -54,89 +67,64 @@ When new vulnerabilities are released, you can find out how many of your assets You can view the related breach and threat insights in the **Threat** column when the icons are colored red. >[!NOTE] - > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and breach insight ![possible active alert](images/tvm_alert_icon.png) icon. + > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon ![Simple drawing of a red bug.](images/tvm_bug_icon.png) and breach insight icon ![Simple drawing of an arrow hitting a target.](images/tvm_alert_icon.png). The breach insights icon is highlighted if there is a vulnerability found in your organization. -![tvm-breach-insights](images/tvm-breach-insights.png) +![Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.](images/tvm-breach-insights.png) The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories. -![tvm-threat-insights](images/tvm-threat-insights.png) +![Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.](images/tvm-threat-insights.png) +## View Common Vulnerabilities and Exposures (CVE) entries in other places - -## Vulnerabilities in global search - -1. Go to the global search drop-down menu. -2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for. -![tvm-vuln-globalsearch](images/tvm-vuln-globalsearch.png) -3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates. - -To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search. - -## Top vulnerable software in the dashboard +### Top vulnerable software in the dashboard 1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. -![top vulnerable software card](images/tvm-top-vulnerable-software500.png) +![Top vulnerable software card with four columns: software, weaknesses, threats, exposed machines.](images/tvm-top-vulnerable-software500.png) 2. Select the software that you want to investigate to go a drill down page. 3. Select the **Discovered vulnerabilities** tab. -4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. +4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. -![Windows server drill down overview](images/windows-server-drilldown.png) +![Windows Server 2019 drill down overview.](images/windows-server-drilldown.png) -## Discover vulnerabilities in the machine page +### Discover vulnerabilities in the machine page -1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens. -2. In the **Machines list** page, select the machine name that you want to investigate. +View related weaknesses information in the machine page. + +1. Go to the Microsoft Defender Security Center navigation menu bar, then select the machine icon. The **Machines list** page opens. +2. In the **Machines list** page, select the machine name that you want to investigate.
        ![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)
        -3. The machine page will open with details and response options for the machine you want to investigate. +3. The machine page will open with details and response options for the machine you want to investigate. 4. Select **Discovered vulnerabilities**.
        ![Screenshot of the machine page with details and response options](images/tvm-discovered-vulnerabilities.png)
        5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic. -### CVE Detection logic +#### CVE Detection logic Similar to the software evidence, we now show the detection logic we applied on a machine in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the machine page) that shows the detection logic and source. -![Screenshot of the machine page with details and response options](images/cve-detection-logic.png) - +![Detection Logic example which lists the software detected on the device and the KBs.](images/cve-detection-logic.png) ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability information in the machine page. +You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information. -1. Select the **Discovered vulnerabilities** tab. - -2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**. -![Screenshot of Report inaccuracy control from the machine page in the Discovered vulnerabilities tab](images/tvm_report_inaccuracy_vuln.png) -
        A flyout pane opens.
        -![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_vulnflyout.png) - -3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu. -
        ![Screenshot of discovered vulnerability inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_vulnoptions.png)
        - -4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported. - -5. Include your machine name for investigation context. - - > [!NOTE] - > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. - -6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context. +1. Open the CVE on the Weaknesses page. +2. Select **Report inaccuracy**. +3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. +4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. ## Related topics + +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Security recommendation](tvm-security-recommendation.md) +- [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) -- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) -- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 689a9fe3d1..963c08c5ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -1,6 +1,6 @@ --- title: What's new in Microsoft Defender ATP -description: Lists the new features and functionality in Microsoft Defender ATP +description: See what features are generally available (GA) in the latest release of Microsoft Defender ATP, as well as security features in Windows 10 and Windows Server. keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -27,8 +27,17 @@ The following features are generally available (GA) in the latest release of Mic For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). -RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: -`https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+Defender+ATP%22&locale=en-us` + +> [!TIP] +> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: +> +> ```https +> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us +> ``` + +## April 2020 + +- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
        Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). ## November-December 2019 @@ -54,7 +63,7 @@ RSS feed: Get notified when this page is updated by copying and pasting the foll ## September 2019 -- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
        You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). +- [Tamper Protection settings using Intune](../microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
        You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune). - [Live response](live-response.md)
        Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time. @@ -118,10 +127,10 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe - Block Adobe Reader from creating child processes - Block Office communication application from creating child processes. -- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) +- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/). - - Windows Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security. - - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans. + - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/microsoft-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security. + - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus) for Microsoft Defender Antivirus scans. @@ -157,9 +166,9 @@ You can now block untrusted processes from writing to disk sectors using Control Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. -- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
        -Windows Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). +- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
        +Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender ATP. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). - Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus). + Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png new file mode 100644 index 0000000000..74f9fb15ed Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png new file mode 100644 index 0000000000..daa96d291d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png differ diff --git a/windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png similarity index 100% rename from windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png rename to windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png diff --git a/windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png similarity index 100% rename from windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png rename to windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md similarity index 57% rename from windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md rename to windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 0dabbdb3b1..60760b7cac 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -1,7 +1,7 @@ --- -title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) -description: A list of all available settings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings. -keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen +title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) +description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings. +keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -13,13 +13,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp --- -# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings +# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings **Applies to:** - Windows 10 - Windows 10 Mobile -Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. +Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. @@ -35,48 +35,48 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

        Windows 10, Version 1607 and earlier:
        Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen At least Windows Server 2012, Windows 8 or Windows RT -This policy setting turns on Windows Defender SmartScreen.

        If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Windows Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

        If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

        If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen. +This policy setting turns on Microsoft Defender SmartScreen.

        If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

        If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

        If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

        This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

        Important: Using a trustworthy browser helps ensure that these protections work as expected. +This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

        This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

        Important: Using a trustworthy browser helps ensure that these protections work as expected.

        Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

        Windows 10, Version 1607 and earlier:
        Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen Microsoft Edge on Windows 10 or later -This policy setting turns on Windows Defender SmartScreen.

        If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off.

        If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

        If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen. +This policy setting turns on Microsoft Defender SmartScreen.

        If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

        If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

        If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

        Windows 10, Version 1511 and 1607:
        Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files Microsoft Edge on Windows 10, version 1511 or later -This policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious files.

        If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

        If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. +This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.

        If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

        If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. Windows 10, version 1703:
        Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

        Windows 10, Version 1511 and 1607:
        Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites Microsoft Edge on Windows 10, version 1511 or later -This policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious sites.

        If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

        If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. +This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.

        If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

        If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter Internet Explorer 9 or later -This policy setting prevents the employee from managing Windows Defender SmartScreen.

        If you enable this policy setting, the employee isn't prompted to turn on Windows Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

        If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. +This policy setting prevents the employee from managing Microsoft Defender SmartScreen.

        If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

        If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience. Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings Internet Explorer 8 or later -This policy setting determines whether an employee can bypass warnings from Windows Defender SmartScreen.

        If you enable this policy setting, Windows Defender SmartScreen warnings block the employee.

        If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings. +This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.

        If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

        If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings. Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet Internet Explorer 9 or later -This policy setting determines whether the employee can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

        If you enable this policy setting, Windows Defender SmartScreen warnings block the employee.

        If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings. +This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

        If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

        If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings. ## MDM settings If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.

        -For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer). +For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer). @@ -91,8 +91,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
      1. URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
      2. Data type. Integer
      3. Allowed values:
          -
        • 0 . Turns off Windows Defender SmartScreen in Edge.
          • -
        • 1. Turns on Windows Defender SmartScreen in Edge.
        4. +
      4. 0 . Turns off Microsoft Defender SmartScreen in Edge.
        5. +
      5. 1. Turns on Microsoft Defender SmartScreen in Edge.
        6. @@ -115,8 +115,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
      6. URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
      7. Data type. Integer
      8. Allowed values:
          -
        • 0 . Turns off Windows Defender SmartScreen in Windows for app and file execution.
          • -
        • 1. Turns on Windows Defender SmartScreen in Windows for app and file execution.
        9. +
      9. 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
        10. +
      10. 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
        11. @@ -127,8 +127,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
      11. URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
      12. Data type. Integer
      13. Allowed values:
          -
        • 0 . Employees can ignore Windows Defender SmartScreen warnings and run malicious files.
          • -
        • 1. Employees can't ignore Windows Defender SmartScreen warnings and run malicious files.
        14. +
      14. 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
        15. +
      15. 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
        16. @@ -139,8 +139,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
      16. URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
      17. Data type. Integer
      18. Allowed values:
          -
        • 0 . Employees can ignore Windows Defender SmartScreen warnings.
          • -
        • 1. Employees can't ignore Windows Defender SmartScreen warnings.
        19. +
      19. 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
        20. +
      20. 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
        21. @@ -151,16 +151,16 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
      21. URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
      22. Data type. Integer
      23. Allowed values:
          -
        • 0 . Employees can ignore Windows Defender SmartScreen warnings for files.
          • -
        • 1. Employees can't ignore Windows Defender SmartScreen warnings for files.
        24. +
      24. 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
        25. +
      25. 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
        26. Setting
        ## Recommended Group Policy and MDM settings for your organization -By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk interactions instead of providing just a warning. +By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. -To better help you protect your organization, we recommend turning on and using these specific Windows Defender SmartScreen Group Policy and MDM settings. +To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings. @@ -168,7 +168,7 @@ To better help you protect your organization, we recommend turning on and using - + @@ -191,7 +191,7 @@ To better help you protect your organization, we recommend turning on and using - + @@ -203,7 +203,7 @@ To better help you protect your organization, we recommend turning on and using - + @@ -214,7 +214,7 @@ To better help you protect your organization, we recommend turning on and using ## Related topics - [Threat protection](../index.md) -- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md) +- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md) - [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md new file mode 100644 index 0000000000..f13b6bff37 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -0,0 +1,93 @@ +--- +title: Microsoft Defender SmartScreen overview (Windows 10) +description: Conceptual info about Microsoft Defender SmartScreen. +keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +ms.author: macapara +audience: ITPro +ms.localizationpriority: medium +ms.date: 11/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Microsoft Defender SmartScreen + +**Applies to:** + +- Windows 10 +- Windows 10 Mobile +- Microsoft Edge + +Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. + +**Microsoft Defender SmartScreen determines whether a site is potentially malicious by:** + +- Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. + +- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious. + +**Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** + +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious. + +- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution. + +## Benefits of Microsoft Defender SmartScreen + +Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: + +- **Anti-phishing and anti-malware support.** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) + +- **Reputation-based URL and app protection.** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user. + +- **Operating system integration.** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. + +- **Improved heuristics and diagnostic data.** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files. + +- **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). + +- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md). + +> [!IMPORTANT] +> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. + +## Submit files to Microsoft Defender SmartScreen for review + +If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more info, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). + +When submitting Microsoft Defender Smartscreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu. + +![Windows Security, Microsoft Defender SmartScreen controls](images/Microsoft-defender-smartscreen-submission.png) + +## Viewing Microsoft Defender SmartScreen anti-phishing events + +When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). + +## Viewing Windows event logs for Microsoft Defender SmartScreen +Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. + +Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it: + +``` +wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true +``` + +> [!NOTE] +> For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1). + + +EventID | Description +-|- +1000 | Application Windows Defender SmartScreen Event +1001 | Uri Windows Defender SmartScreen Event +1002 | User Decision Windows Defender SmartScreen Event + +## Related topics +- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) +- [Threat protection](../index.md) +- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md new file mode 100644 index 0000000000..728d759855 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md @@ -0,0 +1,88 @@ +--- +title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows 10) +description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps. +keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/13/2017 +ms.reviewer: +manager: dansimp +ms.author: macapara +--- + +# Set up and use Microsoft Defender SmartScreen on individual devices + +**Applies to:** +- Windows 10, version 1703 +- Windows 10 Mobile +- Microsoft Edge + +Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. + +## How users can use Windows Security to set up Microsoft Defender SmartScreen +Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it. + +>[!NOTE] +>If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. + +**To use Windows Security to set up Microsoft Defender SmartScreen on a device** +1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**. + +2. In the **Reputation-based protection** screen, choose from the following options: + + - In the **Check apps and files** area: + + - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue. + + - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. + + - In the **Microsoft Defender SmartScreen for Microsoft Edge** area: + + - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge. + + - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. + - In the **Potentially unwanted app blocking** area: + + - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria#potentially-unwanted-application-pua). + - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device. + + - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium). + + - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps. + + - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area: + + - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue. + + - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + + ![Windows Security, Microsoft Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png) + +## How Microsoft Defender SmartScreen works when a user tries to run an app +Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. + +By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended). + +## How users can report websites as safe or unsafe +Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. + +**To report a website as safe from the warning message** +- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. + +**To report a website as unsafe from Microsoft Edge** +- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. + +**To report a website as unsafe from Internet Explorer 11** +- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. + +## Related topics +- [Threat protection](../index.md) + +- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index fe80c5c8a4..6356278506 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -35,17 +35,17 @@ This topic provides an overview of some of the software and firmware threats fac ## The security threat landscape -Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. +Today's security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker's motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to: -- Eliminate entire classes of vulnerabilities +- Eliminate entire classes of vulnerabilities -- Break exploitation techniques +- Break exploitation techniques -- Contain the damage and prevent persistence +- Contain the damage and prevent persistence -- Limit the window of opportunity to exploit +- Limit the window of opportunity to exploit The following sections provide more detail about security mitigations in Windows 10, version 1703. @@ -59,14 +59,14 @@ Windows 10 mitigations that you can configure are listed in the following two ta |---|---| | **Windows Defender SmartScreen**
        helps prevent
        malicious applications
        from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.

        **More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic | | **Credential Guard**
        helps keep attackers
        from gaining access through
        Pass-the-Hash or
        Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
        Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.

        **More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) | -| **Enterprise certificate pinning**
        helps prevent
        man-in-the-middle attacks
        that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.

        **More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) | -| **Device Guard**
        helps keep a device
        from running malware or
        other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
        Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

        **More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) | -| **Windows Defender Antivirus**,
        which helps keep devices
        free of viruses and other
        malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.

        **More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic | -| **Blocking of untrusted fonts**
        helps prevent fonts
        from being used in
        elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

        **More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) | +| **Enterprise certificate pinning**
        helps prevent
        man-in-the-middle attacks
        that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.

        **More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) | +| **Device Guard**
        helps keep a device
        from running malware or
        other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
        Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

        **More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) | +| **Microsoft Defender Antivirus**,
        which helps keep devices
        free of viruses and other
        malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox antimalware solution. Microsoft Defender Antivirus has been significantly improved since it was introduced in Windows 8.

        **More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic | +| **Blocking of untrusted fonts**
        helps prevent fonts
        from being used in
        elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

        **More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) | | **Memory protections**
        help prevent malware
        from using memory manipulation
        techniques such as buffer
        overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
        A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

        **More information**: [Table 2](#table-2), later in this topic | -| **UEFI Secure Boot**
        helps protect
        the platform from
        bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

        **More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) | +| **UEFI Secure Boot**
        helps protect
        the platform from
        boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

        **More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) | | **Early Launch Antimalware (ELAM)**
        helps protect
        the platform from
        rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.

        **More information**: [Early Launch Antimalware](/windows/device-security/bitlocker/bitlocker-countermeasures#protection-during-startup) | -| **Device Health Attestation**
        helps prevent
        compromised devices from
        accessing an organization’s
        assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

        **More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) | +| **Device Health Attestation**
        helps prevent
        compromised devices from
        accessing an organization's
        assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device's actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

        **More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](https://docs.microsoft.com/windows-server/security/device-health-attestation) | Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly. @@ -84,47 +84,47 @@ As an IT professional, you can ask application developers and software vendors t Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads. -For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. +For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they're about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. -For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen/windows-defender-smartscreen-overview.md). +For more information, see [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). -### Windows Defender Antivirus +### Microsoft Defender Antivirus -Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware: +Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware: -- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. +- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. -- **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content. +- **Rich local context** improves how malware is identified. Windows 10 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content. -- **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. +- **Extensive global sensors** help keep Microsoft Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. -- **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) +- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) -- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution. +- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class antimalware solution. -For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). +For more information, see [Windows Defender in Windows 10](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://docs.microsoft.com/windows-server/security/windows-defender/windows-defender-overview-windows-server). For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation). ### Data Execution Prevention -Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? +Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn't it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? -Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability exploit. +Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted by means of a vulnerability exploit. **To use Task Manager to see apps that use DEP** -1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. +1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. 2. Click **More Details** (if necessary), and then click the **Details** tab. -3. Right-click any column heading, and then click **Select Columns**. +3. Right-click any column heading, and then click **Select Columns**. -4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. +4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. -5. Click **OK**. +5. Click **OK**. You can now see which processes have DEP enabled. @@ -138,19 +138,19 @@ You can use Control Panel to view or change DEP settings. #### To use Control Panel to view or change DEP settings on an individual PC -1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. +1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. -2. Click **Advanced system settings**, and then click the **Advanced** tab. +2. Click **Advanced system settings**, and then click the **Advanced** tab. -3. In the **Performance** box, click **Settings**. +3. In the **Performance** box, click **Settings**. -4. In **Performance Options**, click the **Data Execution Prevention** tab. +4. In **Performance Options**, click the **Data Execution Prevention** tab. -5. Select an option: +5. Select an option: - - **Turn on DEP for essential Windows programs and services only** + - **Turn on DEP for essential Windows programs and services only** - - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. + - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. #### To use Group Policy to control DEP settings @@ -158,7 +158,7 @@ You can use the Group Policy setting called **Process Mitigation Options** to co ### Structured Exception Handling Overwrite Protection -Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handler](https://msdn.microsoft.com/library/windows/desktop/ms680657(v=vs.85).aspx) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. +Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). @@ -174,13 +174,13 @@ Address Space Layout Randomization (ASLR) makes that type of attack much more di Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and application processes can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another. -You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). +You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings ("Force ASLR" and "Bottom-up ASLR"), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). ## Mitigations that are built in to Windows 10 Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations. -Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. +Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. ### Table 3   Windows 10 mitigations to protect against memory exploits – no configuration needed @@ -191,29 +191,29 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within | **Universal Windows apps protections**
        screen downloadable
        apps and run them in
        an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.

        **More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | | **Heap protections**
        help prevent
        exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.

        **More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | | **Kernel pool protections**
        help prevent
        exploitation of pool memory
        used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.

        **More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | -| **Control Flow Guard**
        helps mitigate exploits
        that are based on
        flow between code locations
        in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
        For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

        **More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | +| **Control Flow Guard**
        helps mitigate exploits
        that are based on
        flow between code locations
        in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
        For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

        **More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | | **Protections built into Microsoft Edge** (the browser)
        helps mitigate multiple
        threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

        **More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. | ### SMB hardening improvements for SYSVOL and NETLOGON shares -In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process domain-based Group Policy and scripts. +In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won't process domain-based Group Policy and scripts. > [!NOTE] -> The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). +> The registry values for these settings aren't present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://msrc-blog.microsoft.com/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). ### Protected Processes Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type. -With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. +With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://docs.microsoft.com/windows/win32/services/protecting-anti-malware-services-). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. ### Universal Windows apps protections -When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. +When users download Universal Windows apps from the Microsoft Store, it's unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. -In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher. +In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app's age rating and publisher. ### Windows heap protections @@ -221,29 +221,29 @@ The *heap* is a location in memory that Windows uses to store dynamic applicatio Windows 10 has several important improvements to the security of the heap: -- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. +- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. -- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. +- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. -- **Heap guard pages** before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. +- **Heap guard pages** before and after blocks of memory, which work as trip wires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. ### Kernel pool protections -The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against such attacks. +The operating system kernel in Windows sets aside two pools of memory, one which remains in physical memory ("nonpaged pool") and one which can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. In addition to pool hardening, Windows 10 includes other kernel hardening features: -- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. +- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. -- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx). +- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation). -- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) +- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) -- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. +- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the "supervisor") from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. -- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination. +- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the "FastFail" mechanism to enable rapid and safe process termination. -- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory. +- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory. ### Control Flow Guard @@ -251,31 +251,31 @@ When applications are loaded into memory, they are allocated space based on the This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. -An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx). +An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://docs.microsoft.com/windows/win32/secbp/control-flow-guard). Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG. ### Microsoft Edge and Internet Explorer 11 -Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. +Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially: -- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. +- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. -- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. +- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. -- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues. +- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues. -- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. +- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. -- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default. +- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default. In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. -For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. +For sites that require IE11 compatibility, including those that require binary extensions and plug-ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. ### Functions that software vendors can use to build mitigations into apps @@ -288,21 +288,21 @@ Some of the protections available in Windows 10 are provided through functions t | Mitigation | Function | |-------------|-----------| -| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | -| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | -| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
        \[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | -| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
        \[ProcessSignaturePolicy\] | -| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
        \[ProcessSystemCallDisablePolicy\] | -| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | -| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | -| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | -| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | +| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | +| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | +| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
        \[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | +| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
        \[ProcessSignaturePolicy\] | +| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
        \[ProcessSystemCallDisablePolicy\] | +| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | +| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | +| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | +| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
        \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | ## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit -You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. +You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. -Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)). +Because many of EMET's mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://web.archive.org/web/20170928073955/https://technet.microsoft.com/en-US/security/jj653751)). The following table lists EMET features in relation to Windows 10 features. @@ -337,7 +337,7 @@ to Windows 10 features - + @@ -363,7 +363,7 @@ to Windows 10 features ### Converting an EMET XML settings file into Windows 10 mitigation policies -One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet: +One of EMET's strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet: ```powershell Install-Module -Name ProcessMitigations @@ -423,21 +423,21 @@ ConvertTo-ProcessMitigationPolicy -EMETFilePath -OutputFilePath [!NOTE] +> If the **Interactive logon: Machine inactivity limit** security policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings. + ### Possible values The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours). diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index 300344160d..b98d74a6bb 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -37,7 +37,7 @@ This policy setting determines when users are warned that their passwords are ab - Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system. - Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain. -- Don't set the value to zero, which displays the password expiration warning every time the user logs on. +- When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it already has expired. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index 7917efbce4..b57e36e03e 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -20,18 +20,18 @@ ms.date: 04/19/2017 # Minimum password length **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. ## Reference -The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. +The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 20 characters, or you can establish that no password is required by setting the number of characters to 0. ### Possible values -- User-specified number of characters between 0 and 14 -- Not defined +- User-specified number of characters between 0 and 20 +- Not defined ### Best practices @@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values. Defaul | Server type or Group Policy Object (GPO) | Default value | | - | - | -| Default domain policy| 7 characters| -| Default domain controller policy | Not defined| -| Stand-alone server default settings | 0 characters| -| Domain controller effective default settings | 7 characters| -| Member server effective default settings | 7 characters| -| Effective GPO default settings on client computers | 0 characters| - +| Default domain policy| 7 characters| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | 0 characters| +| Domain controller effective default settings | 7 characters| +| Member server effective default settings | 7 characters| +| Effective GPO default settings on client computers | 0 characters| + ## Policy management This section describes features, tools, and guidance to help you manage this policy. @@ -80,8 +80,9 @@ Configure the **** policy setting to a value of 8 or more. If the number of char In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack. ->**Note:**  Some jurisdictions have established legal requirements for password length as part of establishing security regulations. - +> [!NOTE] +> Some jurisdictions have established legal requirements for password length as part of establishing security regulations. + ### Potential impact Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover. diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index 5f46ca3685..f5a0e5c08f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -22,6 +22,7 @@ ms.author: dansimp - Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/help/4012606) installed - Windows 8.1 with [KB 4102219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed - Windows 7 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed +- Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed - Windows Server 2012 with [KB 4012220](https://support.microsoft.com/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 4870151b22..9fef84e4b2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -40,7 +40,7 @@ This policy isn't configured by default on domain-joined devices. This would dis - **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. > [!NOTE] - > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server. + > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. - **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md index 56613b0b02..2e91b3b1b6 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md @@ -43,7 +43,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob ### Best practices -- Set **Domain controller: LDAP server signing requirements** to **Require signature**. If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts. +- Set both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings to **Require signing**. To avoid usage of unsigned traffic, set both client and server sides to require signing. Not setting one of the sides will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts. ### Location @@ -84,11 +84,11 @@ Unsigned network traffic is susceptible to man-in-the-middle attacks in which an ### Countermeasure -Configure the **Network security: LDAP server signing requirements** setting to **Require signature**. +Configure the **Network security: LDAP client signing requirements** setting to **Require signing**. ### Potential impact -If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts. +If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that do not require requests to be signed. To avoid this issue, make sure that both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings are set to **Require signing**. ## Related topics diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md index 017b3050a2..387aca9327 100644 --- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md +++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md @@ -20,7 +20,7 @@ ms.author: dansimp On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) if they have not already done so. -Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware. +Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware. In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response. @@ -189,7 +189,7 @@ We recommend customers that have not yet installed the security update [MS17-010 - Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/) - Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 -[Windows Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats. +[Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Microsoft Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats. For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md deleted file mode 100644 index c69288aada..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Manage Windows Defender in your business -description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Windows Defender AV -keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Manage Windows Defender Antivirus in your business - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can manage and configure Windows Defender Antivirus with the following tools: - -- Microsoft Intune -- Microsoft Endpoint Configuration Manager -- Group Policy -- PowerShell cmdlets -- Windows Management Instrumentation (WMI) -- The mpcmdrun.exe utility - -The articles in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus. - -## In this section - -Article | Description ----|--- -[Manage Windows Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus -[Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates -[Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Windows Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters -[Manage Windows Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-windows-defender-antivirus.md)| Instructions for using WMI to manage Windows Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) -[Manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender Antivirus diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md deleted file mode 100644 index 47161748b2..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Configure how users can interact with Windows Defender AV -description: Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings. -keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure end-user interaction with Windows Defender Antivirus - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus. - -This includes whether they see the Windows Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings. - -## In this section - -Topic | Description ----|--- -[Configure notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation -[Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users -[Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md deleted file mode 100644 index e0805ca3fb..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Set up exclusions for Windows Defender AV scans -description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV. Validate your exclusions with PowerShell. -keywords: -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 03/12/2020 -ms.reviewer: -manager: dansimp ---- - -# Configure and validate exclusions for Windows Defender Antivirus scans - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. - ->[!WARNING] ->Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. - -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md). This enables you to exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location. - -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process. - -## Related articles - -[Windows Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md deleted file mode 100644 index 5d08760627..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ /dev/null @@ -1,114 +0,0 @@ ---- -title: Enable and configure Windows Defender Antivirus protection capabilities -description: Enable and configure Windows Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning -keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 12/16/2019 -ms.reviewer: -manager: dansimp -ms.custom: nextgen ---- - -# Enable and configure Windows Defender Antivirus always-on protection in Group Policy - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. - -These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure. - -## Enable and configure always-on protection in Group Policy - -You can use **Local Group Policy Editor** to enable and configure Windows Defender Antivirus always-on protection settings. - -To enable and configure always-on protection: - -1. Open **Local Group Policy Editor**. To do this: - 1. In your Windows 10 taskbar search box, type **gpedit**. - 2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**. -![GPEdit taskbar search result](images/gpedit-search.png) -2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus**. -![Windows Defender Antivirus](images/gpedit-windows-defender-antivirus.png) -3. Configure the Windows Defender Antivirus antimalware service policy settings. To do this: - 1. In the **Windows Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table: - - | Setting | Description | Default setting | - |-----------------------------|------------------------|-------------------------------| - | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled - | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled | - - 2. Configure the setting as appropriate, and click **OK**. - 3. Repeat the previous steps for each setting in the table. - -4. Configure the Windows Defender Antivirus real-time protection policy settings. To do this: - 1. In the **Windows Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Windows Defender Antivirus** tree on left pane, click **Real-time Protection**. - ![Windows Defender Antivirus Real-time Protection options](images/gpedit-real-time-protection.png) - 2. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table: - - | Setting | Description | Default setting | - |-----------------------------|------------------------|-------------------------------| - | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled | - | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled | - | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled | - | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled | - | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled | - | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled | - | Configure local setting override for turn on behavior monitoring | Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled | - | Configure local setting override for scanning all downloaded files and attachments | Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled | - | Configure local setting override for monitoring file and program activity on your computer | Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled | - | Configure local setting override to turn on real-time protection | Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled | - | Configure local setting override for monitoring for incoming and outgoing file activity | Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. | Enabled | - | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) | - - 3. Configure the setting as appropriate, and click **OK**. - 4. Repeat the previous steps for each setting in the table. - -5. Configure the Windows Defender Antivirus scanning policy setting. To do this: - 1. From the **Windows Defender Antivirus** tree on left pane, click **Scan**. - ![Windows Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png) - - 2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table: - - | Setting | Description | Default setting | - |-----------------------------|------------------------|-------------------------------| - | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity. | Enabled | - - 3. Configure the setting as appropriate, and click **OK**. -6. Close **Local Group Policy Editor**. - - -## Disable real-time protection in Group Policy -> [!WARNING] -> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended. - -The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**. - -To disable real-time protection in Group policy: -1. Open **Local Group Policy Editor**. - 1. In your Windows 10 taskbar search box, type **gpedit**. - 2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**. - -2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Real-time Protection**. - -3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**. -![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png) - -4. In the **Turn off real-time protection** setting window, set the option to **Enabled**. -![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png) -5. Click **OK**. -6. Close **Local Group Policy Editor**. - -## Related articles - -- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md deleted file mode 100644 index 5f0b5efdbe..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: Remediate and resolve infections detected by Windows Defender Antivirus -description: Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -keywords: remediation, fix, remove, threats, quarantine, scan, restore -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure remediation for Windows Defender Antivirus scans - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. - -This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). - -You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. - -## Configure remediation options - -You can configure how remediation works with the Group Policy settings described in this section. - -To configure these settings: - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. - -4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. - -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled -Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days -Root | Turn off routine remediation | You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) -Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed -Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable -Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable - -> [!IMPORTANT] -> Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. ->

        -> If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md). ->

        -> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md). - -Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings. - -## Related topics - -- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) -- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) -- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -- [Configure end-user Windows Defender Antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md deleted file mode 100644 index 86857fc378..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Configure Windows Defender Antivirus features -description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. -keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure Windows Defender Antivirus features - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can configure Windows Defender Antivirus with a number of tools, including: - -- Microsoft Intune -- Microsoft Endpoint Configuration Manager -- Group Policy -- PowerShell cmdlets -- Windows Management Instrumentation (WMI) - -The following broad categories of features can be configured: - -- Cloud-delivered protection -- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection -- How end-users interact with the client on individual endpoints - -The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). - -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help. - -## In this section -Topic | Description -:---|:--- -[Utilize Microsoft cloud-provided Windows Defender Antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection -[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md deleted file mode 100644 index 3162bb5114..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Run and customize scheduled and on-demand scans -description: Customize and initiate Windows Defender Antivirus scans on endpoints across your network. -keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Windows Defender Antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. - -## In this section - -Topic | Description ----|--- -[Configure and validate file, folder, and process-opened file exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning -[Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning -[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans -[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app -[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md deleted file mode 100644 index bf74b6893b..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Deploy and enable Windows Defender Antivirus -description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. -keywords: deploy, enable, Windows Defender Antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Deploy and enable Windows Defender Antivirus - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. - -See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). - -Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. - -The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md). - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md deleted file mode 100644 index 985b6f0b7c..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ /dev/null @@ -1,143 +0,0 @@ ---- -title: Enable cloud-delivered protection in Windows Defender Antivirus -description: Enable cloud-delivered protection to benefit from fast and advanced protection features. -keywords: windows defender antivirus, antimalware, security, cloud, block at first sight -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.reviewer: -manager: dansimp -ms.custom: nextgen ---- - -# Enable cloud-delivered protection - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. - -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). -![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) - -You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. - -See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. - -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. - ->[!NOTE] ->In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. - -**Use Intune to enable cloud-delivered protection** - -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. -5. On the **Cloud-delivered protection** switch, select **Enable**. -6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. -7. In the **Submit samples consent** dropdown, select one of the following: - - - **Send safe samples automatically** - - **Send all samples automatically** - - >[!NOTE] - >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. - -For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) - -**Use Configuration Manager to enable cloud-delivered protection:** - -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - -**Use Group Policy to enable cloud-delivered protection:** - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration**. - -3. Click **Administrative templates**. - -4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** - -5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. - -6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: - - 1. **Send safe samples** (1) - 2. **Send all samples** (3) - - >[!NOTE] - >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -7. Click **OK**. - -**Use PowerShell cmdlets to enable cloud-delivered protection:** - -Use the following cmdlets to enable cloud-delivered protection: - -```PowerShell -Set-MpPreference -MAPSReporting Advanced -Set-MpPreference -SubmitSamplesConsent AlwaysPrompt -``` - ->[!NOTE] ->You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - -**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** - -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: - -```WMI -MAPSReporting -SubmitSamplesConsent -``` - -See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - -**Enable cloud-delivered protection on individual clients with the Windows Security app** - -> [!NOTE] -> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: - - ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) - -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. - ->[!NOTE] ->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. - -## Related topics - -- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) -- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) -- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) -- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] -- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md deleted file mode 100644 index 8285dbdc5e..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Enable the limited periodic Windows Defender Antivirus scanning feature -description: Limited periodic scanning lets you use Windows Defender Antivirus in addition to your other installed AV providers -keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - - - -# Use limited periodic scanning in Windows Defender Antivirus - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. - -It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md). - -**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. - -## How to enable limited periodic scanning - -By default, Windows Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly. - -If Windows Defender Antivirus is enabled, the usual options will appear to configure it on that device: - -![Windows Security app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png) - -If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options: - -![Windows Security app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png) - -Underneath any third party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. - -![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png) - -Sliding the switch to **On** will show the standard Windows Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page. - -![When enabled, periodic scanning shows the normal Windows Defender Antivirus options](images/vtp-3ps-lps-on.png) - -## Related articles - -- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md deleted file mode 100644 index d444eaedc1..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Manage Windows Defender Antivirus updates and apply baselines -description: Manage how Windows Defender Antivirus receives protection and product updates. -keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 03/04/2020 -ms.reviewer: -manager: dansimp ---- - -# Manage Windows Defender Antivirus updates and apply baselines - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -There are two types of updates related to keeping Windows Defender Antivirus up to date: - -1. Protection updates -2. Product updates - -You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection. - -## Protection updates - -Windows Defender Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as Security intelligence updates. - -The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. - -Engine updates are included with the Security intelligence updates and are released on a monthly cadence. - -## Product updates - -Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. - -You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. - -## Released platform and engine versions - -Only the main version is listed in the following table as reference information: - -Month | Platform/Client | Engine ----|---|--- -Mar-2020 | 4.18.2003.x| 1.1.16900.x -Feb-2020 | - | 1.1.16800.x -Jan-2020 | 4.18.2001.x | 1.1.16700.x -Dec-2019 | - | - | -Nov-2019 | 4.18.1911.x | 1.1.16600.x -Oct-2019 | 4.18.1910.x | 1.1.16500.x -Sep-2019 | 4.18.1909.x | 1.1.16400.x -Aug-2019 | 4.18.1908.x | 1.1.16300.x -Jul-2019 | 4.18.1907.x | 1.1.16200.x -Jun-2019 | 4.18.1906.x | 1.1.16100.x -May-2019 | 4.18.1905.x | 1.1.16000.x -Apr-2019 | 4.18.1904.x | 1.1.15900.x -Mar-2019 | 4.18.1903.x | 1.1.15800.x -Feb-2019 | 4.18.1902.x | 1.1.15700.x -Jan-2019 | 4.18.1901.x | 1.1.15600.x -Dec-18 | 4.18.1812.X | 1.1.15500.x - - -## In this section - -Article | Description ----|--- -[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources. -[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded. -[Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on. -[Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. -[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. diff --git a/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md b/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md deleted file mode 100644 index f9457d3f21..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md +++ /dev/null @@ -1,68 +0,0 @@ - -# [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - -## [Windows Defender AV in the Microsoft Defender Security Center app](windows-defender-security-center-antivirus.md) - -## [Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) - -## [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) -### [Use limited periodic scanning in Windows Defender AV](limited-periodic-scanning-windows-defender-antivirus.md) - - -## [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) - - -## [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md) -#### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md) -### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) -#### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md) -### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -#### [Manage protection and Security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) -#### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -#### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -#### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -#### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) - - -## [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md) -### [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -#### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) -#### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) -#### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) -#### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) -#### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) -### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) -#### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -#### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) -#### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -#### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md) -#### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) - - -## [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) -#### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -#### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -#### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) -### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) -### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -### [Configure and run scans](run-scan-windows-defender-antivirus.md) -### [Review scan results](review-scan-results-windows-defender-antivirus.md) -### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md) - - -## [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md) - - - -## [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) -### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md) -### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md) -### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md) -### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md) -### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md) - - diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md deleted file mode 100644 index f99aa7584f..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Restore quarantined files in Windows Defender AV -description: You can restore files and folders that were quarantined by Windows Defender AV. -keywords: -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 11/16/2018 -ms.reviewer: -manager: dansimp ---- - -# Restore quarantined files in Windows Defender AV - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. - -1. Open **Windows Security**. -2. Click **Virus & threat protection** and then click **Threat History**. -3. Under **Quarantined threats**, click **See full history**. -4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) - -> [!NOTE] -> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV. - -## Related articles - -- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -- [Review scan results](review-scan-results-windows-defender-antivirus.md) -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) - diff --git a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md b/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md deleted file mode 100644 index 9fc1cbc630..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Shadow protection in next-generation protection -description: Learn about shadow protection in next-generation protection -keywords: Windows Defender Antivirus, shadow protection, passive mode -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -author: denisebmsft -ms.author: deniseb -manager: dansimp -ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 -ms.localizationpriority: medium -ms.custom: next-gen -ms.collection: ---- - -# Shadow protection in next-generation protection - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -## What is shadow protection? - -When enabled, shadow protection extends behavioral-based blocking and containment capabilities by blocking malicious artifacts or behaviors observed through post-breach protection. This is the case even if [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is not your active antivirus protection. Shadow protection is useful if your organization has not fully transitioned to Windows Defender Antivirus and you are presently using a third-party antivirus solution. Shadow protection works behind the scenes by remediating malicious entities identified in post-breach protection that the existing third-party antivirus solution missed. - -> [!NOTE] -> Shadow protection is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection). - -To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). And see [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). - -## What happens when something is detected? - -When shadow protection is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). - -The following images shows an instance of unwanted software that was detected and blocked through shadow protection: - -:::image type="content" source="images/shadow-protection-detection.jpg" alt-text="Malware detected by shadow protection"::: - -## Turn on shadow protection - -> [!IMPORTANT] -> Make sure the [requirements](#requirements-for-shadow-protection) are met before turning shadow protection on. - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. - -2. Choose **Settings** > **Advanced features**. - - :::image type="content" source="images/turn-shadow-protection-on.jpg" alt-text="Turn shadow protection on"::: - -3. Turn shadow protection on. - -> [!NOTE] -> Shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to turn shadow protection on or off. - -## Requirements for shadow protection - -|Requirement |Details | -|---------|---------| -|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | -|Operating system |One of the following:
        - Windows 10 (all releases)
        - Windows Server 2016 or later | -|Windows E5 enrollment |This is included in the following subscriptions:
        - Microsoft 365 E5
        - Microsoft 365 E3 together with the Identity & Threat Protection offering
        See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
        See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). | -|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | -|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | - -> [!IMPORTANT] -> To get the best protection value, make sure Windows Defender Antivirus is configured to receive regular updates and other essential features, such as behavioral monitoring, IOfficeAV, tamper protection, and more. See [Protect security settings with tamper protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) - - -## Frequently asked questions - -### Will shadow protection have any impact on a user's antivirus protection? - -No. Shadow protection does not affect third-party antivirus protection running on users' machines. Shadow protection kicks in if the primary antivirus solution misses something, or if there is post-breach detection. Shadow protection works just like Windows Defender Antivirus in passive mode with the additional steps of blocking and remediating malicious items detected. - -### Why do I need to keep Windows Defender Antivirus up to date? - -The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack works in integration, and to get best protection value, you should keep Windows Defender Antivirus up to date. - -### Why do we need cloud protection on? - -Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on the optics received, along with behavioral and machine learning models. - -### Can I participate in the private preview of shadow protection? - -If you would like to participate in our private preview program, please send email to `shwjha@microsoft.com`. - -## See also - -- [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus) - diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md deleted file mode 100644 index 2efa65178d..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ /dev/null @@ -1,75 +0,0 @@ ---- -title: Troubleshoot problems with reporting tools for Windows Defender AV -description: Identify and solve common problems when attempting to report in Windows Defender AV protection status in Update Compliance -keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.reviewer: -manager: dansimp ---- - -# Troubleshoot Windows Defender Antivirus reporting in Update Compliance - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -> [!IMPORTANT] -> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates. - -You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx). - -When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you might encounter problems or issues. - -Typically, the most common indicators of a problem are: -- You only see a small number or subset of all the devices you were expecting to see -- You do not see any devices at all -- The reports and information you do see is outdated (older than a few days) - -For common error codes and event IDs related to the Windows Defender Antivirus service that are not related to Update Compliance, see [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md). - -There are three steps to troubleshooting these problems: - -1. Confirm that you have met all prerequisites -2. Check your connectivity to the Windows Defender cloud-based service -3. Submit support logs - ->[!IMPORTANT] ->It typically takes 3 days for devices to start appearing in Update Compliance. - - -## Confirm prerequisites - -In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Windows Defender Antivirus: - ->[!div class="checklist"] ->- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance. -> - [Cloud-delivered protection is enabled](enable-cloud-protection-windows-defender-antivirus.md). -> - Endpoints can [connect to the Windows Defender AV cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud) -> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). -> - It has been 3 days since all requirements have been met - -“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" - -If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. - -> [!div class="nextstepaction"] -> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md) - - - - - - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md deleted file mode 100644 index 68f8c4587a..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection -description: Next-gen technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection. -keywords: windows defender antivirus, next-gen technologies, next-gen av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.reviewer: -manager: dansimp -ms.custom: nextgen ---- - -# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Microsoft next-generation technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. - -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). -![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) - -To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. - ->[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. - -With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action: - - - -To understand how next-gen technologies shorten protection delivery time through the cloud, watch the following video: - - - -Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI: - -- [Why Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/) -- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) -- [How artificial intelligence stopped an Emotet outbreak](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/) -- [Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses/) -- [Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/) - -## Get cloud-delivered protection - -Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies. - -Organizations running Windows 10 E5, version 1803 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered protection on, we can deliver a fix for a malware issue via the cloud within minutes instead of waiting for the next update. - ->[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. - -The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager. - -Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center 2012 Configuration Manager | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune ----|---|---|---|---|---|--- -Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service -Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version -Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | Configurable - -You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates). - - -## In this section - - Topic | Description ----|--- -[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. -[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. -[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. -[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md deleted file mode 100644 index 9c284e75a0..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: "Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection" -description: "For best results, use Windows Defender Antivirus together with your other Microsoft offerings." -keywords: windows defender, antivirus, third party av -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.topic: article -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 01/07/2020 -ms.reviewer: -manager: dansimp ---- - -# Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). - -Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. - -## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP - -| |Advantage |Why it matters | -|--|--|--| -|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | -|2|Threat analytics and your configuration score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [configuration score](../microsoft-defender-atp/configuration-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | -|3|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| -|4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| -|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| -|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| -|7|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | -|8|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | -|9|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| -|10|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). | - - -## Learn more - -[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - -[Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) - - - - - - diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md deleted file mode 100644 index e09392cea5..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -title: Windows Defender Antivirus compatibility with other security products -description: Windows Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using. -keywords: windows defender, atp, advanced threat protection, compatibility, passive mode -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.reviewer: -manager: dansimp ---- - -# Windows Defender Antivirus compatibility - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -## Overview - -Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. -- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode. -- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and threats are not remediated by Windows Defender Antivirus.) -- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. - -## Antivirus and Microsoft Defender ATP - -The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. - - -| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state | -|------|------|-------|-------| -| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | -| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | -| Windows 10 | Windows Defender Antivirus | Yes | Active mode | -| Windows 10 | Windows Defender Antivirus | No | Active mode | -| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | -| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | -| Windows Server 2016 or 2019 | Windows Defender Antivirus | Yes | Active mode | -| Windows Server 2016 or 2019 | Windows Defender Antivirus | No | Active mode | - -(1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019](windows-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-windows-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. - -If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: -- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` -- Name: ForceDefenderPassiveMode -- Value: 1 - -See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. - -> [!IMPORTANT] -> Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. -> -> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. -> -> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). - -## Functionality and features available in each state - -The following table summarizes the functionality and features that are available in each state: - -|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) | -|--|--|--|--|--|--| -|Active mode

        |Yes |No |Yes |Yes |Yes | -|Passive mode |No |No |Yes |No |Yes | -|[Shadow protection enabled](shadow-protection.md) |No |No |Yes |Yes |Yes | -|Automatic disabled mode |No |Yes |No |No |No | - -- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). -- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. -- When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. -- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. - -## Keep the following points in mind - -If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. - -When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. - -In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. - -If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode. - -> [!WARNING] -> You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md). - - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) -- [Shadow protection in next-generation protection](shadow-protection.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md deleted file mode 100644 index 79ba16ef12..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 -description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 -keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 02/25/2020 -ms.reviewer: -manager: dansimp -ms.custom: nextgen ---- - -# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -## Windows Defender Antivirus: Your next-generation protection - -Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: - -- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-windows-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. -- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. -- [Dedicated protection and product updates](manage-updates-baselines-windows-defender-antivirus.md). This includes updates related to keeping Windows Defender Antivirus up to date. - -## Try a demo! - -Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: -- Cloud-delivered protection -- Block at first sight (BAFS) protection -- Potentially unwanted applications (PUA) protection - -## Minimum system requirements - -Windows Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see: - -- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) -- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) - -## Configure next-generation protection services - -For information on how to configure next-generation protection services, see [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md). - -> [!Note] -> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Windows Defender Antivirus; however, there are some differences. To learn more, see [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md). - -## Related articles - -- [Windows Defender Antivirus management and configuration](configuration-management-reference-windows-defender-antivirus.md) - -- [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md deleted file mode 100644 index b8fbc245ce..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ /dev/null @@ -1,141 +0,0 @@ ---- -title: Windows Defender Offline in Windows 10 -description: You can use Windows Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network. -keywords: scan, defender, offline -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.reviewer: -manager: dansimp ---- - -# Run and review the results of a Windows Defender Offline scan - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). - -You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak. - -In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. - -## prerequisites and requirements - -Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. - -For more information about Windows 10 requirements, see the following topics: - -- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) - -- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx) - -> [!NOTE] -> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units. - -To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges. - -## Windows Defender Offline updates - -Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated. - -> [!NOTE] -> Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). - -See the [Manage Windows Defender Antivirus Security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) topic for more information. - -## Usage scenarios - -In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. - -The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints. - -The prompt can occur via a notification, similar to the following: - -![Windows notification showing the requirement to run Windows Defender Offline](images/defender/notification.png) - -The user will also be notified within the Windows Defender client: - -![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png) - -In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. - -Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. - -![Microsoft Endpoint Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png) - -## Configure notifications - - -Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV notifications. - -For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) topic. - -## Run a scan - -> [!IMPORTANT] -> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. - -You can run a Windows Defender Offline scan with the following: - -- PowerShell -- Windows Management Instrumentation (WMI) -- The Windows Security app - - - -### Use PowerShell cmdlets to run an offline scan - -Use the following cmdlets: - -```PowerShell -Start-MpWDOScan -``` - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - -### Use Windows Management Instruction (WMI) to run an offline scan - -Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan. - -The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. - -```WMI -wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start -``` - -See the following for more information: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - -### Use the Windows Defender Security app to run an offline scan - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label: - - -3. Select **Windows Defender Offline scan** and click **Scan now**. - - - > [!NOTE] - > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client. - - -## Review scan results - -Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). - - -## Related articles - -- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 5ade5917e6..1a4b279e16 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -1,20 +1,23 @@ -# [Windows Defender Application Control](windows-defender-application-control.md) +# [Application Control for Windows](windows-defender-application-control.md) +## [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) +### [WDAC and AppLocker Feature Availability](feature-availability.md) -## [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md) + +## [WDAC design guide](windows-defender-application-control-design-guide.md) ### [Plan for WDAC policy lifecycle management](plan-windows-defender-application-control-management.md) -### Design and create your WDAC policy +### Design your initial WDAC policy #### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) #### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) -##### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) -##### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) -#### [Example WDAC base policies](example-wdac-base-policies.md) +#### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) +#### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) #### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) -#### [Common WDAC deployment scenarios](types-of-devices.md) +#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) +### Create your initial WDAC policy +#### [Example WDAC base policies](example-wdac-base-policies.md) +#### [Policy creation for common WDAC usage scenarios](types-of-devices.md) ##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) ##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md) ##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md) -##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) - ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) @@ -28,7 +31,7 @@ ### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) ### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) -#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) +#### [Optional: Use the WDAC Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) #### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md) ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 9e6f941382..e07be3cc57 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.date: 02/28/2018 - Windows 10 - Windows Server 2016 -As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). +As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). If you have an internal CA, complete these steps to create a code signing certificate. Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded. @@ -98,7 +98,7 @@ Now that the template is available to be issued, you must request one from the c >[!NOTE] >If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client. -This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: +This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: 1. Right-click the certificate, point to **All Tasks**, and then click **Export**. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index f707f7a7bb..1a27567a27 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -21,8 +21,8 @@ ms.date: 05/03/2018 **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows Server 2016 and above This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc... diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 93758237b0..9957c0ae10 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -22,8 +22,8 @@ ms.date: 11/20/2019 **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows Server 2016 and above This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index d25131d06d..fbee02749f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -22,8 +22,8 @@ ms.date: 11/15/2019 **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows Server 2016 and above This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 484dd83dc0..1ea8df15e9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -81,7 +81,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName` >[!NOTE] ->Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values. +>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values. When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor. @@ -95,16 +95,16 @@ Packages can fail for the following reasons: - To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this was the most recent USN when you ran PackageInspector start) - `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt` - - ReadJournal command should throw an error if the older USNs don’t exist anymore due to overflow + - ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow - For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help - To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small) - To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously) - Package files that change hash each time the package is installed - Package Inspector is completely incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package will not work with Package Inspector -- Files with an invalid signature blob or otherwise “unhashable” files +- Files with an invalid signature blob or otherwise "unhashable" files - This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec. - - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can’t be allowed by hash due to authenticode hashing algorithm rejecting it) - - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this “unhashable” state and renders the file unable to be allowed by Device Guard (regardless of if you try to allow directly by policy or resign with Package Inspector) + - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it) + - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector) ## Catalog signing with SignTool.exe @@ -124,7 +124,7 @@ To sign the existing catalog file, copy each of the following commands into an e `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` -2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. +2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store. 3. Sign the catalog file with Signtool.exe: diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 13547435c1..0fc1b53db9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -14,15 +14,15 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 05/17/2019 +ms.date: 04/15/2020 --- # Use multiple Windows Defender Application Control Policies **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows Server 2016 The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: @@ -36,16 +36,17 @@ The restriction of only having a single code integrity policy active on a system - A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy - For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run -## How do Base and Supplemental Policies Interact? +> [!NOTE] +> Pre-1903 systems do not support the use of Multiple Policy Format WDAC policies. + +## Base and supplemental policy interaction - Multiple base policies: intersection - Only applications allowed by both policies run without generating block events - Base + supplemental policy: union - Files that are allowed by the base policy or the supplemental policy are not blocked -Note that multiple policies will not work on pre-1903 systems. - -### Allow Multiple Policies +## Creating WDAC policies in Multiple Policy Format In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format. @@ -65,9 +66,10 @@ For signed base policies that are being made supplementable, you need to ensure Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [] ``` -### Supplemental Policy Creation +### Supplemental policy creation + +In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown above. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy. -In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy. - "SupplementsBasePolicyID": GUID of base policy that the supplemental policy applies to - "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to @@ -81,20 +83,21 @@ Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and re When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \. -### Deploying policies +## Deploying multiple policies -> [!NOTE] -> You cannot use the "Deploy Windows Defender Application Control" group policy setting to deploy multiple CI policies. You will have to copy the `*.cip` files, both the baseline and the supplemental ones, to C:\Windows\System32\CodeIntegrity\CiPolicies\Active\. +In order to deploy multiple WDAC policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature. You cannot use the "Deploy Windows Defender Application Control" group policy setting to deploy multiple CI policies. -In order to deploy policies using the new multiple policy format you will need to: +### Deploying multiple policies locally + +In order to deploy policies locally using the new multiple policy format you will need to: 1. Ensure policies are copied to the right location - Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active 2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip - Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy - - For example if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}` the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip -3. Reboot the system or use WMI to rebootlessly refresh the policy + - For example, if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}` then the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip +3. Reboot the system -```powershell -Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = 'C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip'} -``` +### Deploying multiple policies via ApplicationControl CSP + +Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. Refer to [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index 5c089e58ac..1700437f22 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -24,7 +24,7 @@ ms.date: 02/28/2018 - Windows 10 - Windows Server 2016 -WDAC policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. +WDAC policies can easily be deployed and managed with Group Policy. Windows Defender allows you to simplify deployment Windows Defender hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. > [!NOTE] > This walkthrough requires that you have previously created a WDAC policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a WDAC policy, see [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md), earlier in this topic. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 48ce449ecd..2ec54bcba7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 02/28/2020 +ms.date: 04/29/2020 --- # Deploy Windows Defender Application Control policies by using Microsoft Intune @@ -24,7 +24,7 @@ ms.date: 02/28/2020 - Windows 10 - Windows Server 2016 -You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. +You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). @@ -50,16 +50,17 @@ Setting "Trust apps with good reputation" to enabled is equivalent to adding [Op ## Using a Custom OMA-URI Profile ### For 1903+ systems + The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are: -1. Know a generated policy’s GUID, which can be found in the policy xml as `` +1. Know a generated policy's GUID, which can be found in the policy xml as `` 2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. 3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. 4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**. 5. Add a row, then give your policy a name and use the following settings: - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy - **Data type**: Base64 - - **Certificate file**: upload your binary format policy file + - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) @@ -67,6 +68,7 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [Applicat > Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. ### For pre-1903 systems + The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: 1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -79,3 +81,6 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocke > [!NOTE] > Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy. + +> [!NOTE] +> Deploying policies via the AppLocker CSP will force a reboot during OOBE. diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index e51e5b06af..6a84a32f71 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -20,9 +20,10 @@ ms.date: 11/15/2019 # Windows Defender Application Control example base policies -**Applies to** -- Windows 10 -- Windows Server 2016 and above +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start from an existing base policy and then add or remove rules to build your own custom policy XML files. Windows includes several example policies which can be used, or organizations which use the Device Guard Signing Service can download a starter policy from that service. diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md new file mode 100644 index 0000000000..d7bdf7e3c3 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -0,0 +1,42 @@ +--- +title: Feature Availability +description: Compare WDAC and AppLocker feature availability. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: denisebmsft +ms.reviewer: isbrahm +ms.author: deniseb +manager: dansimp +ms.date: 04/15/2020 +ms.custom: asr +--- + +# WDAC and AppLocker feature availability + +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above + +| Capability | WDAC | AppLocker | +|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Platform support | Available on Windows 10 | Available on Windows 8+ | +| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
        For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
        Policies deployed through MDM are effective on all SKUs. | +| Management solutions |
        • [Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)
        • [Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
        • [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy)
        • PowerShell
        |
        • [Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
        • MEMCM (custom policy deployment via Software Distribution only)
        • [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)
        • PowerShell
            • | +| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ | +| Kernel mode policies | Available on all Windows 10 versions | Not available | +| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available | +| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available | +| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available | +| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available | +| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | +| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available | +| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ | +| Enforceable file types |
            • Driver files: .sys
            • Executable files: .exe and .com
            • DLLs: .dll and .ocx
            • Windows Installer files: .msi, .mst, and .msp
            • Scripts: .ps1, .vbs, and .js
            • Packaged apps and packaged app installers: .appx
            |
            • Executable files: .exe and .com
            • [Optional] DLLs: .dll and .ocx
            • Windows Installer files: .msi, .mst, and .msp
            • Scripts: .ps1, .bat, .cmd, .vbs, and .js
            • Packaged apps and packaged app installers: .appx
            | diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index e702402c80..ebb66d445a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 05/14/2019 +ms.date: 05/29/2020 --- # Manage Packaged Apps with Windows Defender Application Control @@ -65,8 +65,10 @@ Below are the list of steps you can follow to block one or more packaged apps in 1. Get the app identifier for an installed package ```powershell - $package = Get-AppxPackage -name + $package = Get-AppxPackage -name ** ``` + Where the name of the app is surrounded by asterisks, for example *windowsstore* + 2. Make a rule by using the New-CIPolicyRule cmdlet ```powershell @@ -119,9 +121,9 @@ If the app you intend to block is not installed on the system you are using the 3. Copy the GUID in the URL for the app - Example: the GUID for the Microsoft To-Do app is 9nblggh5r558 - - https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab + - `https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab` 4. Use the GUID in the following REST query URL to retrieve the identifiers for the app - - Example: for the Microsoft To-Do app, the URL would be https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata + - Example: for the Microsoft To-Do app, the URL would be `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata` - The URL will return: ``` @@ -141,4 +143,4 @@ The method for allowing specific packaged apps is similar to the method outlined $Rule = New-CIPolicyRule -Package $package -allow ``` -Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in C:\Windows\schemas\CodeIntegrity\ExamplePolicies to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules. +Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 465dfec3fb..8e442a2a0f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -19,10 +19,10 @@ ms.date: 04/09/2019 # Microsoft recommended block rules -**Applies to** -- Windows 10 -- Windows Server 2016 -- Windows Server 2019 +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above Members of the security community\* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control. diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index f58c81c02c..cccca7a73e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -21,24 +21,24 @@ ms.date: 02/21/2018 **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows Server 2016 and above This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. ## Policy XML lifecycle management -Before you begin deploying WDAC, consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps assure that WDAC continues to effectively control how applications are allowed to run in your organization. +The first step in implementing application control is to consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps assure that WDAC continues to effectively control how applications are allowed to run in your organization. Most WDAC policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include: -1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. -2. Deploy the audit mode policy to intended computers. -3. Monitor audit block events from the intended computers and add/edit/delete rules as needed to address unexpected/unwanted blocks. +1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files are not prevented from executing. +2. Deploy the audit mode policy to intended devices. +3. Monitor audit block events from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks. 4. Repeat steps 2-3 until the remaining block events meet expectations. -5. Generate the enforced mode version of the policy. -6. Deploy the enforced mode policy to intended computers. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly. +5. Generate the enforced mode version of the policy. In enforced mode, files that are not allowed by the policy are prevented from executing and corresponding block events are generated. +6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly. 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes. ### Keep WDAC policies in a source control or document management solution @@ -71,31 +71,31 @@ Additionally, WDAC events are collected by [Microsoft Defender Advanced Threat P Considerations include: -- What type of end-user support is provided for blocked applications? -- How are new rules added to the policy? -- How are existing rules updated? -- Are events forwarded for review? +- What type of end-user support is provided for blocked applications? +- How are new rules added to the policy? +- How are existing rules updated? +- Are events forwarded for review? ### Help desk support If your organization has an established help desk support department in place, consider the following when deploying WDAC policies: -- What documentation does your support department require for new policy deployments? -- What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload? -- Who are the contacts in the support department? -- How will the support department resolve application control issues between the end user and those who maintain the WDAC rules? +- What documentation does your support department require for new policy deployments? +- What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload? +- Who are the contacts in the support department? +- How will the support department resolve application control issues between the end user and those who maintain the WDAC rules? ### End-user support Because WDAC is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include: -- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app? -- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app? +- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app? +- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app? ## Document your plan After deciding how your organization will manage your WDAC policy, record your findings. -- **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the WDAC policy, if necessary. -- **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis. -- **Policy management.** Detail what policies are planned, how they will be managed, and how rules will be maintained over time. +- **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the WDAC policy, if necessary. +- **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis. +- **Policy management.** Detail what policies are planned, how they will be managed, and how rules will be maintained over time. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index c8e505e884..5b823d7eeb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -54,13 +54,13 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. | | **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. | | **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. | -| **5 Enabled:Inherit Default Policy** | This option is reserved for future use. | +| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | | **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. | | **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | | **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | -| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. | +| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, as well as on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on pre-1903 versions of Windows 10 without the 10C or later LCU is not supported and may have unintended results. | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | @@ -129,9 +129,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard ## Windows Defender Application Control filename rules -File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies. +File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies. -Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario. +Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario. For instance, an LOB or production application and its binaries (eg. DLLs) may all share the same product name. This allows users to easily create targeted policies based on the Product Name filename rule level. **Table 3. Windows Defender Application Control policy - filename levels** diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index db845a4507..db8225d362 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -1,6 +1,6 @@ --- -title: Common WDAC deployment scenarios (Windows 10) -description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization, using these common scenarios. +title: Policy creation for common WDAC usage scenarios (Windows 10) +description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 @@ -20,8 +20,9 @@ ms.date: 03/01/2018 # Windows Defender Application Control deployment in different scenarios: types of devices **Applies to** -- Windows 10 -- Windows Server 2016 and above + +- Windows 10 +- Windows Server 2016 and above Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described. diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 04a21aa98f..54d8ea8492 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -35,7 +35,7 @@ You should consider using WDAC as part of your organization's application contro - You have deployed or plan to deploy the supported versions of Windows in your organization. - You need improved control over the access to your organization's applications and the data your users access. -- Your organization has a well-defined process for application management and deployed. +- Your organization has a well-defined process for application management and deployment. - You have resources to test policies against the organization's requirements. - You have resources to involve Help Desk or to build a self-help process for end-user application access issues. - The group's requirements for productivity, manageability, and security can be controlled by restrictive policies. @@ -62,7 +62,7 @@ Organizations with well-defined, centrally-managed app management and deployment | - | - | | All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | | Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. | -| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Windows Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. | +| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. | | Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.| ### Are internally-developed line-of-business (LOB) apps and apps developed by 3rd parties digitally signed? diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index 76cec7912f..da33a878fe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -31,7 +31,7 @@ This topic covers guidelines for using code signing control classic Windows apps ## Reviewing your applications: application signing and catalog files -Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. +Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing). @@ -45,7 +45,7 @@ To obtain signed applications or embed signatures in your in-house applications, To use catalog signing, you can choose from the following options: -- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal). +- Use the Windows Defender signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. - Create your own catalog files, which are described in the next section. @@ -53,12 +53,12 @@ To use catalog signing, you can choose from the following options: Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application. -Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also. +Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also. After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files. > [!NOTE] -> Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT. +> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT. For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index c5bb40be7e..8dfefbb2b5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -34,20 +34,19 @@ As of Windows 10, version 1703, you can use WDAC policies not only to control ap | You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. | Use `New-CIPolicyRule` with the `-AppID` option. | | In addition, you can work from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. | Use `New-CIPolicyRule` with the `-AppID` and `-Deny` options. | -To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your ‘master’ policy (merging is described in the next section). +To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your 'master' policy (merging is described in the next section). -For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization’s enterprise resource planning (ERP) application, but blocks those add-ins in other applications, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable: +For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable: -``` -$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' -$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe' +```powershell +$rule = New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin1.dll' +$rule += New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin2.dll' New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs ``` As another example, to create a WDAC policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specified application: -``` -$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe' +```powershell +$rule = New-CIPolicyRule -DriverFilePath '.\winword.exe' -Level FileName -Deny -AppID '.\temp\addin3.dll' New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs ``` - diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 7c9d0b4790..09a7320fa3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -21,8 +21,8 @@ ms.date: 03/10/2020 **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows Server 2016 and above Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index c3a6983cd6..675381d926 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -21,14 +21,13 @@ ms.date: 06/13/2018 **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows Server 2016 and above +Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC). +This is especially true for enterprises with large, ever changing software catalogs. -Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC). -This is especially true for enterprises with large, ever changing software catalogs. - -Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. +Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. A managed installer helps an IT admin balance security and manageability requirements when employing application execution control policies by providing an option that does not require specifying explicit rules for software that is being managed through a software distribution solution. ## How does a managed installer work? @@ -36,11 +35,11 @@ A managed installer helps an IT admin balance security and manageability require A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment. Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies. -Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. +Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.+ -Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. -Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. +Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. +Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. ## Configuring a managed installer with AppLocker and Windows Defender Application Control @@ -53,7 +52,7 @@ There are three primary steps to keep in mind: ### Specify managed installers using the Managed Installer rule collection in AppLocker policy -The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection. +The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection. Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. An example of a valid Managed Installer rule collection is shown below. @@ -83,7 +82,7 @@ As mentioned above, the AppLocker CSP for OMA-URI policies does not currently su ## Enable service enforcement in AppLocker policy Since many installation processes rely on services, it is typically necessary to enable tracking of services. -Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. +Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. For example: ```code @@ -122,7 +121,7 @@ For example: ### Enable the managed installer option in WDAC policy In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy. -This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). +This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). An example of the managed installer option being set in policy is shown below. ```code @@ -144,10 +143,11 @@ An example of the managed installer option being set in policy is shown below. ``` + ## Set the AppLocker filter driver to autostart To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it. -Run the following command as an Administrator: +Run the following command as an Administrator: ```code appidtel.exe start [-mionly] @@ -155,37 +155,36 @@ appidtel.exe start [-mionly] Specify `-mionly` if you will not use the Intelligent Security Graph (ISG). - ## Security considerations with managed installer -Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. -It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager. +Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. +It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager. -Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. -If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. +Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. +If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. -To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation. +To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation. ## Known limitations with managed installer -- Application execution control based on managed installer does not support applications that self-update. -If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. -Enterprises should deploy and install all application updates using the managed installer. -In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. -Proper review for functionality and security should be performed for the application before using this method. +- Application execution control based on managed installer does not support applications that self-update. +If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. +Enterprises should deploy and install all application updates using the managed installer. +In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. +Proper review for functionality and security should be performed for the application before using this method. -- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. -Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. +- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. +Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. - Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. -- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. -In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. +- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. +In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method. -- The managed installer heuristic does not authorize drivers. +- The managed installer heuristic does not authorize drivers. The WDAC policy must have rules that allow the necessary drivers to run. -- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. -Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. -Review for functionality and performance for the related applications using the native images maybe necessary in some cases. +- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. +Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. +Review for functionality and performance for the related applications using the native images maybe necessary in some cases. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md new file mode 100644 index 0000000000..7a955f8700 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -0,0 +1,86 @@ +--- +title: WDAC and AppLocker Overview +description: Compare Windows application control technologies. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: denisebmsft +ms.reviewer: isbrahm +ms.author: deniseb +manager: dansimp +ms.date: 04/15/2020 +ms.custom: asr +--- + +# Windows Defender Application Control and AppLocker Overview + +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above + +Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. + +## Windows Defender Application Control + +WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). + +> [!NOTE] +> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. + +WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: + +- Attributes of the codesigning certificate(s) used to sign an app and its binaries; +- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; +- The reputation of the app as determined by Microsoft's Intelligent Security Graph; +- The identity of the process that initiated the installation of the app and its binaries (managed installer); +- The path from which the app or file is launched (beginning with Windows 10 version 1903); +- The process that launched the app or binary. + +### WDAC System Requirements + +WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. +WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. + +## AppLocker + +AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers. + +AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on: + +- Attributes of the codesigning certificate(s) used to sign an app and its binaries; +- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; +- The path from which the app or file is launched (beginning with Windows 10 version 1903). + +### AppLocker System Requirements + +AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md). +AppLocker policies can be deployed using Group Policy or MDM. + +## Choose when to use WDAC or AppLocker + +Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies. + +### WDAC is best when: + +- You are adopting application control primarily for security reasons. +- Your application control policy can be applied to all users on the managed computers. +- All of the devices you wish to manage are running Windows 10. + +### AppLocker is best when: + +- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. +- You need to apply different policies for different users or groups on a shared computer. +- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature. +- You do not wish to enforce application control on application files such as DLLs or drivers. + +## When to use both WDAC and AppLocker together + +AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps. +As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 232b40eec6..9e0b0651d1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -29,20 +29,20 @@ This topic provides a roadmap for planning and getting started on the Windows De 1. Review requirements, especially hardware requirements for VBS. -2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
            Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment. +2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
            Deployment is simpler if everything is locked down in the same way, but meeting individual departments' needs, and working with a wide variety of devices, may require a more complicated and flexible deployment. 3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create: - How standardized is the hardware?
            This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. - - What software does each department or role need? Should they be able to install and run other departments’ software?
            If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management. + - What software does each department or role need? Should they be able to install and run other departments' software?
            If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management. - Are there departments or roles where unique, restricted software is used?
            If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy. - Is there already a list of accepted applications?
            A list of accepted applications can be used to help create a baseline WDAC policy.
            As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? - In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. + In day-to-day operations, your organization's security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC. @@ -70,7 +70,7 @@ This topic provides a roadmap for planning and getting started on the Windows De ## Known issues -This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error). +This section covers known issues with WDAC. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error). Test this configuration in your lab before enabling it in production. ### MSI Installations are blocked by WDAC diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 36a49771c4..66a776eaf6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -44,5 +44,6 @@ Once these business factors are in place, you are ready to begin planning your W | [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. | | [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. | | [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. | - +| [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios and helps you begin to develop a plan for deploying WDAC in your organization. | + After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index a34e52ab58..d3e82010c2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -17,11 +17,12 @@ manager: dansimp ms.date: 03/16/2020 --- -# Windows Defender Application Control operational guide +# Windows Defender Application Control operational guide **Applies to** -- Windows 10 -- Windows Server 2016 + +- Windows 10 +- Windows Server 2016 and above After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 827bc6fab0..7f723913e2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -14,17 +14,16 @@ author: denisebmsft ms.reviewer: isbrahm ms.author: deniseb manager: dansimp -ms.date: 01/31/2020 +ms.date: 05/26/2020 ms.custom: asr --- -# Application Control +# Application Control for Windows **Applies to:** -- Windows 10 -- Windows Server 2016 -- Windows Server 2019 +- Windows 10 +- Windows Server 2016 and above With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. @@ -37,84 +36,19 @@ Application control is a crucial line of defense for protecting enterprises give > [!NOTE] > Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. -Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
            -- **Windows Defender Application Control**; and -- **AppLocker** +Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: -## Windows Defender Application Control +- **Windows Defender Application Control**; and +- **AppLocker** -Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). +## In this section -> [!NOTE] -> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. +| Article | Description | +| --- | --- | +| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. | +| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. | -WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: -- Attributes of the codesigning certificate(s) used to sign an app and its binaries; -- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; -- The reputation of the app as determined by Microsoft's Intelligent Security Graph; -- The identity of the process that initiated the installation of the app and its binaries (managed installer); -- The path from which the app or file is launched (beginning with Windows 10 version 1903); -- The process that launched the app or binary. - -### WDAC System Requirements - -WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. -WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. - -## AppLocker - -AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers. - -AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on: -- Attributes of the codesigning certificate(s) used to sign an app and its binaries; -- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; -- The path from which the app or file is launched (beginning with Windows 10 version 1903). - -### AppLocker System Requirements - -AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md). -AppLocker policies can be deployed using Group Policy or MDM. - -## Choose when to use WDAC or AppLocker - -Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies. - -### WDAC is best when: - -- You are adopting application control primarily for security reasons. -- Your application control policy can be applied to all users on the managed computers. -- All of the devices you wish to manage are running Windows 10. - -### AppLocker is best when: - -- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. -- You need to apply different policies for different users or groups on a shared computer. -- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature. -- You do not wish to enforce application control on application files such as DLLs or drivers. - -## When to use both WDAC and AppLocker together - -AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps. -As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. - -## WDAC and AppLocker Feature Availability -| Capability | WDAC | AppLocker | -|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Platform support | Available on Windows 10 | Available on Windows 8+ | -| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
            For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
            Policies deployed through MDM are effective on all SKUs. | -| Management solutions |
            • [Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)
            • [Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
            • [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy)
            • PowerShell
            |
            • [Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
            • MEMCM (custom policy deployment via Software Distribution only)
            • [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)
            • PowerShell
                • | -| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ | -| Kernel mode policies | Available on all Windows 10 versions | Not available | -| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available | -| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available | -| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available | -| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available | -| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | -| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available | -| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ | -| Enforceable file types |
                • Driver files: .sys
                • Executable files: .exe and .com
                • DLLs: .dll and .ocx
                • Windows Installer files: .msi, .mst, and .msp
                • Scripts: .ps1, .vbs, and .js
                • Packaged apps and packaged app installers: .appx
                |
                • Executable files: .exe and .com
                • [Optional] DLLs: .dll and .ocx
                • Windows Installer files: .msi, .mst, and .msp
                • Scripts: .ps1, .bat, .cmd, .vbs, and .js
                • Packaged apps and packaged app installers: .appx
                | - -## See also +## Related articles - [WDAC design guide](windows-defender-application-control-design-guide.md) - [WDAC deployment guide](windows-defender-application-control-deployment-guide.md) diff --git a/windows/security/threat-protection/windows-defender-application-guard/TOC.md b/windows/security/threat-protection/windows-defender-application-guard/TOC.md deleted file mode 100644 index 9e42b2b691..0000000000 --- a/windows/security/threat-protection/windows-defender-application-guard/TOC.md +++ /dev/null @@ -1,7 +0,0 @@ -# [Windows Defender Application Guard](wd-app-guard-overview.md) - -## [System requirements](reqs-wd-app-guard.md) -## [Install WDAG](install-wd-app-guard.md) -## [Configure WDAG policies](configure-wd-app-guard.md) -## [Test scenarios](test-scenarios-wd-app-guard.md) -## [FAQ](faq-wd-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md deleted file mode 100644 index 7826641e1f..0000000000 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10) -description: Learn about the available Group Policy settings for Windows Defender Application Guard. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 10/17/2017 -ms.reviewer: -manager: dansimp -ms.custom: asr ---- - -# Configure Windows Defender Application Guard policy settings - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. - -Application Guard uses both network isolation and application-specific settings. - -## Network isolation settings - -These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. - ->[!NOTE] ->You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy. - - - -|Policy name|Supported versions|Description| -|-----------|------------------|-----------| -|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| -|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| -|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| - -## Network isolation settings wildcards - -|Value|Number of dots to the left|Meaning| -|-----|--------------------------|-------| -|`contoso.com`|0|Trust only the literal value of `contoso.com`.| -|`www.contoso.com`|0|Trust only the literal value of `www.contoso.com`.| -|`.contoso.com`|1|Trust any domain that ends with the text `contoso.com`. Matching sites include `spearphishingcontoso.com`, `contoso.com`, and `www.contoso.com`.| -|`..contoso.com`|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include `shop.contoso.com`, `us.shop.contoso.com`, `www.us.shop.contoso.com`, but NOT `contoso.com` itself.| - -## Application-specific settings -These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. - -|Name|Supported versions|Description|Options| -|-----------|------------------|-----------|-------| -|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

                Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
                -Disable the clipboard functionality completely when Virtualization Security is enabled.
                - Enable copying of certain content from Application Guard into Microsoft Edge.
                - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

                **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

                Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
                - Enable Application Guard to print into the XPS format.
                - Enable Application Guard to print into the PDF format.
                - Enable Application Guard to print to locally attached printers.
                - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

                **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

                **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

                Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

                **Disabled or not configured.** All user data within Application Guard is reset between sessions.

                **Note**
                If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
                **To reset the container:**
                1. Open a command-line program and navigate to `Windows/System32`.
                2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
                3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
                - Enable Windows Defender Application Guard only for Microsoft Edge
                - Enable Windows Defender Application Guard only for Microsoft Office
                - Enable Windows Defender Application Guard for both Microsoft Edge and Microsoft Office

                **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

                **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

                Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

                **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher

                Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

                **Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Windows Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

                Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

                **Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.| -|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.

                **Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.| - - diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md deleted file mode 100644 index 11045f435f..0000000000 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Enable hardware-based isolation for Microsoft Edge (Windows 10) -description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 02/19/2019 -ms.reviewer: -manager: dansimp -ms.custom: asr ---- - -# Prepare to install Windows Defender Application Guard - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -## Review system requirements - -See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard. ->[!NOTE] ->Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. - -## Prepare for Windows Defender Application Guard -Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. - -**Standalone mode** - -Applies to: -- Windows 10 Enterprise edition, version 1709 or higher -- Windows 10 Pro edition, version 1803 - -Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario. - -**Enterprise-managed mode** - -Applies to: -- Windows 10 Enterprise edition, version 1709 or higher - -You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. - -The following diagram shows the flow between the host PC and the isolated container. -![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) - -## Install Application Guard -Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. - -**To install by using the Control Panel** -1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. - - ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png) - -2. Select the check box next to **Windows Defender Application Guard** and then click **OK**. - - Application Guard and its underlying dependencies are all installed. - -**To install by using PowerShell** - ->[!NOTE] ->Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. - - -1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. - -2. Right-click **Windows PowerShell**, and then click **Run as administrator**. - - Windows PowerShell opens with administrator credentials. - -3. Type the following command: - - ``` - Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard - ``` -4. Restart the device. - - Application Guard and its underlying dependencies are all installed. - diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index d84d263388..cb2c999276 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -34,7 +34,7 @@ You can add information about your organization in a contact card to the Windows ![The security center custom fly-out](images/security-center-custom-flyout.png) -This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus). +This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). ![A security center notification](images/security-center-custom-notif.png) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 27bf7e7c31..c215717a36 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -36,7 +36,7 @@ In some cases, it may not be appropriate to show these notifications, for exampl There are two levels to hiding notifications: -1. Hide non-critical notifications, such as regular updates about the number of scans Windows Defender Antivirus ran in the past week +1. Hide non-critical notifications, such as regular updates about the number of scans Microsoft Defender Antivirus ran in the past week 2. Hide all notifications If you set **Hide all notifications** to **Enabled**, changing the **Hide non-critical notifications** setting will have no effect. @@ -111,35 +111,35 @@ This can only be done in Group Policy. | Restricted access customized | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION_CUSTOM (body) | Yes | | HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes | | HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes | -| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Windows Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes | -| Remediation failure | Windows Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes | -| Follow-up action (restart & scan) | Windows Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes | -| Follow-up action (restart) | Windows Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes | -| Follow-up action (Full scan) | Windows Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes | -| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Windows Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes | -| OS support ending warning | Support for your version of Windows is ending. When this support ends, Windows Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes | -| OS support ended, device at risk | Support for your version of Windows has ended. Windows Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes | -| Summary notification, items found | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No | -| Summary notification, items found, no scan count | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No | -| Summary notification, **no** items found, scans performed | Windows Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No | -| Summary notification, **no** items found, no scans | Windows Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No | -| Scan finished, manual, threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No | -| Scan finished, manual, **no** threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No | -| Threat found | Windows Defender Antivirus found threats. Get details. | CRITICAL | No | -| LPS on notification | Windows Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No | +| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes | +| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes | +| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes | +| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes | +| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes | +| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes | +| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes | +| OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes | +| Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No | +| Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No | +| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No | +| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No | +| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No | +| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No | +| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No | +| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No | | Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No | | Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No | | Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No | | Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No | -| Ransomware specific detection | Windows Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No | +| Ransomware specific detection | Microsoft Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No | | ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No | | ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No | | CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No | | Network protect (HIPS) network block customized | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED_CUSTOM (body) | No | | Network protection (HIPS) network block | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED | No | | PUA detection, not blocked | Your settings cause the detection of any app that might perform unwanted actions on your computer. | PUA_DETECTED | No | -| PUA notification | Your IT settings caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No | -| PUA notification, customized | _Company_ caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No | +| PUA notification | Your IT settings caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No | +| PUA notification, customized | _Company_ caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No | | Network isolation ended | | | No | | Network isolation ended, customized | | | No | | Restricted access ended | | | No | diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 4c160a092a..df2646c94e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -1,6 +1,6 @@ --- title: Virus and threat protection in the Windows Security app -description: Use the Virus & threat protection section to see and configure Windows Defender Antivirus, Controlled folder access, and 3rd-party AV products. +description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products. keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -24,14 +24,14 @@ manager: dansimp - Windows 10, version 1703 and later -The **Virus & threat protection** section contains information and settings for antivirus protection from Windows Defender Antivirus and third-party AV products. +The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products. In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in the event of a ransomware attack. IT administrators and IT pros can get more information and documentation about configuration from the following: -- [Windows Defender Antivirus in the Windows Security app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md) -- [Windows Defender Antivirus documentation library](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in the Windows Security app](../microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md) +- [Microsoft Defender Antivirus documentation library](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) - [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) - [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/) - [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a) diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 56b6759416..0f263a291a 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -40,9 +40,9 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a You can't uninstall the Windows Security app, but you can do one of the following: -- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016). +- Disable the interface on Windows Server 2016. See [Microsoft Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016). - Hide all of the sections on client computers (see below). -- Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +- Disable Microsoft Defender Antivirus, if needed. See [Enable and configure Microsoft Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics: @@ -77,20 +77,20 @@ You can find more information about each section, including options for configur ## How the Windows Security app works with Windows security features > [!IMPORTANT] -> Windows Defender AV and the Windows Security app use similarly named services for specific purposes. +> Microsoft Defender AV and the Windows Security app use similarly named services for specific purposes. > > The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection. > ->These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product. +>These services do not affect the state of Microsoft Defender AV. Disabling or modifying these services will not disable Microsoft Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product. > ->Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +>Microsoft Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > -> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). +> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). > [!WARNING] > If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. > -> It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. +> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. > > This will significantly lower the protection of your device and could lead to malware infection. @@ -103,4 +103,4 @@ Disabling any of the individual features (through Group Policy or other manageme > [!IMPORTANT] > Individually disabling any of the services will not disable the other services or the Windows Security app. -For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. +For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md deleted file mode 100644 index b9d400165d..0000000000 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Windows Defender SmartScreen overview (Windows 10) -description: Conceptual info about Windows Defender SmartScreen. -keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: mjcaparas -ms.author: macapara -audience: ITPro -ms.localizationpriority: medium -ms.date: 11/27/2019 -ms.reviewer: -manager: dansimp ---- - -# Windows Defender SmartScreen - -**Applies to:** - -- Windows 10 -- Windows 10 Mobile - -Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files. - -**Windows Defender SmartScreen determines whether a site is potentially malicious by:** - -- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender Smartscreen determines that a page is suspicious, it will show a warning page to advise caution. - -- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious. - -**Windows Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** - -- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious. - -- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution. - - >[!NOTE] - >Before Windows 10, version 1703, this feature was called _the SmartScreen filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser. - -## Benefits of Windows Defender SmartScreen - -Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: - -- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) - -- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. - -- **Operating system integration.** Windows Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. - -- **Improved heuristics and diagnostic data.** Windows Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files. - -- **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). - -- **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). - -> [!IMPORTANT] -> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. - -## Viewing Windows Defender SmartScreen anti-phishing events - -When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). - -## Viewing Windows event logs for Windows Defender SmartScreen -Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. - -Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it: - -``` -wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true -``` - -> [!NOTE] -> For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1). - - -EventID | Description --|- -1000 | Application Windows Defender SmartScreen Event -1001 | Uri Windows Defender SmartScreen Event -1002 | User Decision Windows Defender SmartScreen Event - -## Related topics -- [Windows Defender SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - -- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) -- [Threat protection](../index.md) -- [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md deleted file mode 100644 index bdbd3df95e..0000000000 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10) -description: Learn how employees can use Windows Security to set up Windows Defender SmartScreen. Windows Defender SmartScreen protects users from running malicious apps. -keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: mjcaparas -ms.localizationpriority: medium -ms.date: 10/13/2017 -ms.reviewer: -manager: dansimp -ms.author: macapara ---- - -# Set up and use Windows Defender SmartScreen on individual devices - -**Applies to:** -- Windows 10, version 1703 -- Windows 10 Mobile - -Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. - -## How employees can use Windows Security to set up Windows Defender SmartScreen -Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. - ->[!NOTE] ->If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. - -**To use Windows Security to set up Windows Defender SmartScreen on a device** -1. Open the Windows Security app, and then click **App & browser control**. - -2. In the **App & browser control** screen, choose from the following options: - - - In the **Check apps and files** area: - - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. - - - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. - - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. - - - In the **Windows Defender SmartScreen for Microsoft Edge** area: - - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. - - - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. - - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. - - - In the **Windows Defender SmartScreen from Microsoft Store apps** area: - - - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue. - - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - - ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control.png) - -## How Windows Defender SmartScreen works when an employee tries to run an app -Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. - -By default, your employees can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). - -## How employees can report websites as safe or unsafe -You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. - -**To report a website as safe from the warning message** -- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. - -**To report a website as unsafe from Microsoft Edge** -- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. - -**To report a website as unsafe from Internet Explorer 11** -- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. - -## Related topics -- [Threat protection](../index.md) - -- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index f46696402c..c141b00025 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -59,9 +59,6 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** > ![Secure Launch Registry](images/secure-launch-registry.png) -> [!IMPORTANT] -> If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor. - ## How to verify System Guard Secure Launch is configured and running To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**. diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 2ddbd8ddd4..f8bce090ea 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -1,6 +1,6 @@ --- title: Basic Firewall Policy Design (Windows 10) -description: Basic Firewall Policy Design +description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index 1be717ce49..71775ab476 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -1,6 +1,6 @@ --- title: Certificate-based Isolation Policy Design (Windows 10) -description: Certificate-based Isolation Policy Design +description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index 11af4131b4..d953de0a48 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -1,6 +1,6 @@ --- title: Change Rules from Request to Require Mode (Windows 10) -description: Change Rules from Request to Require Mode +description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index fa8377de0d..8d1a5f6710 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -1,6 +1,6 @@ --- title: Checklist Configuring Basic Firewall Settings (Windows 10) -description: Checklist Configuring Basic Firewall Settings +description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 6d74ea9356..2fec691406 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -1,6 +1,6 @@ --- title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) -description: Checklist Implementing a Basic Firewall Policy Design +description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 2c12d1140a..38155aa557 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -1,6 +1,6 @@ --- title: Create an Authentication Request Rule (Windows 10) -description: Create an Authentication Request Rule +description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 ms.reviewer: ms.author: dansimp @@ -19,7 +19,7 @@ ms.date: 08/17/2017 # Create an Authentication Request Rule -**Applies to** +**Applies to:** - Windows 10 - Windows Server 2016 @@ -27,9 +27,9 @@ After you have configured IPsec algorithms and authentication methods, you can c **Administrative credentials** -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the (Group Policy Objects) GPOs. -To create the authentication request rule +To create the authentication request rule: 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -39,9 +39,10 @@ To create the authentication request rule 4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**. - >**Caution:**  Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network. + > [!CAUTION] + > Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network. -5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP). +5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are attempted in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP). 1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure. @@ -49,7 +50,9 @@ To create the authentication request rule 3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. - 4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. + 4. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario. + +6. Optional: If you selected **Advanced** in the previous step, then Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. The **First authentication method** can be one of the following: @@ -75,18 +78,19 @@ To create the authentication request rule If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails. - >**Important:**  Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. + > [!IMPORTANT] + > Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. -6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**. +7. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**. -7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies. +8. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies. - On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network. - - On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule. + - On devices that do not move from network to network, consider selecting all the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule. Click **Next**. -8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**. +9. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**. The new rule appears in the list of connection security rules. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index 354ed24f32..d1211abf11 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,6 +1,6 @@ --- title: Create an Outbound Program or Service Rule (Windows 10) -description: Create an Outbound Program or Service Rule +description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 15c54f8ada..e7201d21c3 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -74,8 +74,8 @@ Comma separated list of local addresses covered by the rule. Valid tokens includ - \* indicates any local address. If present, this must be the only token included. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is 255.255.255.255. - A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. Default is Any address. +- An IPv4 address range in the format of "start address-end address" with no spaces included. +- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address. [Learn more](https://aka.ms/intunefirewalllocaladdressrule) @@ -93,8 +93,8 @@ List of comma separated tokens specifying the remote addresses covered by the ru - LocalSubnet indicates any local address on the local subnet. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. - A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. +- An IPv4 address range in the format of "start address-end address" with no spaces included. +- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address. diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index d67461d012..95428bb9b0 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,6 +1,6 @@ --- title: Designing a Windows Defender Firewall Strategy (Windows 10) -description: Designing a Windows Defender Firewall with Advanced Security Strategy +description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index 5911a0bedc..f66bc68daa 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,6 +1,6 @@ --- title: Exemption List (Windows 10) -description: Exemption List +description: Learn the ins and outs of exemption lists on a secured network using Windows 10. ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 ms.reviewer: ms.author: dansimp @@ -23,7 +23,7 @@ ms.date: 04/19/2017 - Windows 10 - Windows Server 2016 -When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. +When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list. diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 0c27975e1b..dc11219314 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,6 +1,6 @@ --- title: Gathering Info about Your Network Infrastructure (Windows 10) -description: Gathering Information about Your Current Network Infrastructure +description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index eda2c2ccc5..bc1c471475 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,6 +1,6 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10) -description: GPO\_DOMISO\_IsolatedDomain\_Clients +description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index bfe618f15f..de34b9c3ad 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,6 +1,6 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10) -description: GPO\_DOMISO\_IsolatedDomain\_Servers +description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index 0798ba72d5..2183c3f911 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -1,6 +1,6 @@ --- title: Planning Isolation Groups for the Zones (Windows 10) -description: Planning Isolation Groups for the Zones +description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 ms.reviewer: ms.author: dansimp @@ -25,7 +25,8 @@ ms.date: 04/19/2017 Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. ->**Caution:**  Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others. +> [!CAUTION] +> Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others. Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead. diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index e8ec3acdbe..74dacfe608 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,6 +1,6 @@ --- title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10) -description: Planning to Deploy Windows Defender Firewall with Advanced Security +description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.reviewer: ms.author: dansimp @@ -27,30 +27,42 @@ After you collect information about your environment and decide on a design by f ## Reviewing your Windows Defender Firewall with Advanced Security Design -If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points: +If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure the deployment team reviews the final design with the design team. Review the following information before starting your deployment. -- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide: +### Decide which devices apply to which GPO - - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) +The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide: - - [Planning the GPOs](planning-the-gpos.md) +- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) - - [Planning GPO Deployment](planning-gpo-deployment.md) +- [Planning the GPOs](planning-the-gpos.md) -- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list. +- [Planning GPO Deployment](planning-gpo-deployment.md) -- The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. +### Configure communication between members and devices -- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated. +Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list. -- The requirement that all devices that must communicate with each other share a common set of: +### Exempt domain controllers from IPsec authentication requirements - - Authentication methods +It is recommended that domain controllers are exempt from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. - - Main mode key exchange algorithms +### Configure IPsec authentication rules - - Quick mode data integrity algorithms +The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior. Communications can continue while the authentication failures are investigated. - If at least one set of each does not match between two devices, then the devices cannot successfully communicate. +### Make sure all devices can communicate with each other + +For all devices to communicate with each other, they must share a common set of: + +- Authentication methods + +- Main mode key exchange algorithms + +- Quick mode data integrity algorithms + +If at least one set of each does not match between two devices, then the devices cannot successfully communicate. + +## Deploy your Windows Firewall Design Plan After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md). diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index b34c8d48ea..117070ef88 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,6 +1,6 @@ --- title: Restrict Access to Only Specified Users or Devices (Windows 10) -description: Restrict Access to Only Specified Users or Devices +description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index 223595ed41..92f54d794a 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,6 +1,6 @@ --- title: Restrict Server Access to Members of a Group Only (Windows 10) -description: Restrict Server Access to Members of a Group Only +description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 86aa913f16..d1d4e94a38 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -23,6 +23,7 @@ Microsoft is committed to optimizing the security of its products and services. The Security Target describes security functionality and assurance measures used to evaluate Windows. +- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) @@ -61,6 +62,7 @@ These documents describe how to configure Windows to replicate the configuration **Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** +- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) @@ -140,6 +142,7 @@ These documents describe how to configure Windows to replicate the configuration An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. +- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf) - [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf) - [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf) - [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index 48bfb00d06..a0f657a331 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -1,6 +1,6 @@ --- title: Windows security baselines -description: Learn how to use Windows security baselines in your organization. Specific to Windows 10, Windows Server, and Office 365 ProPlus. +description: Learn how to use Windows security baselines in your organization. Specific to Windows 10, Windows Server, and Microsoft 365 Apps for enterprise. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -21,7 +21,8 @@ ms.reviewer: - Windows 10 - Windows Server -- Office 365 ProPlus +- Microsoft 365 Apps for enterprise +- Microsoft Edge ## Using security baselines in your organization @@ -64,7 +65,7 @@ The security baselines are included in the [Security Compliance Toolkit (SCT)](s ## Community -[![Microsoft Security Guidance Blog](images/community.png)](https://blogs.technet.microsoft.com/secguide/) +[![Microsoft Security Guidance Blog](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) ## Related Videos @@ -73,9 +74,9 @@ You may also be interested in this msdn channel 9 video: ## See Also -- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) -- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite) -- [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/) -- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/) -- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319) -- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319) +- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) +- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite) +- [Configuration Management for Nano Server](https://docs.microsoft.com/archive/blogs/grouppolicy/configuration-management-on-servers/) +- [Microsoft Security Guidance Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) +- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319) +- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319) diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index a043492918..edb6146667 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,5 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) ## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) ## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) ## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md index b7879030be..2b22a606de 100644 --- a/windows/whats-new/get-started-with-1709.md +++ b/windows/whats-new/get-started-with-1709.md @@ -1,6 +1,6 @@ --- title: Get started with Windows 10, version 1709 -description: All the information to get you started with Windows 10, version 1709. +description: Learn the dos and don'ts for getting started with Windows 10, version 1709. keywords: ["get started", "windows 10", "fall creators update", "1709"] ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/whats-new/images/system-guard2.png b/windows/whats-new/images/system-guard2.png new file mode 100644 index 0000000000..5505ffa78c Binary files /dev/null and b/windows/whats-new/images/system-guard2.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index b7051cfee0..f8674a3abf 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -18,6 +18,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) - [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) - [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) - [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 727cc608be..37619d2d6f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -117,12 +117,12 @@ Windows Information Protection (WIP) helps to protect against this potential dat Several new features and management options have been added to Windows Defender in this version of Windows 10. -- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. -- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. -- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). -- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. +- [Windows Defender Offline in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. ### Windows Defender Advanced Threat Protection (ATP) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index d409feafd2..8c41f40e80 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -72,25 +72,25 @@ But these protections can also be configured separately. And, unlike HVCI, code ### Endpoint detection and response -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. - Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). + Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). - We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: -- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) -- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) -- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) -- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) -- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) + We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on: +- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus) +- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) +- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus) +- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) +- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus) - Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). + Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus). - New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: -- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) -- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) -- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) + New features for Microsoft Defender AV in Windows 10 Enterprise 2019 LTSC include: +- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) +- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus) - We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). **Endpoint detection and response** is also enhanced. New **detection** capabilities include: - [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. @@ -226,9 +226,9 @@ An issue, known as “SMBLoris�?, which could result in denial of service, has Windows Defender Security Center is now called **Windows Security Center**. -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. @@ -387,7 +387,7 @@ Update Compliance is a solution built using OMS Log Analytics that provides info For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). ### Device Health diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index e49c027a4d..6898dce476 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 ms.reviewer: ms.prod: w10 @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, versions 1507 and 1511 +# What's new in Windows 10, versions 1507 and 1511 for IT Pros Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511. diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index f27cc65739..f3e4867a56 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (version 1607) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (version 1607) and Windows 10 Mobile. keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.author: greglin ms.topic: article --- -# What's new in Windows 10, version 1607 +# What's new in Windows 10, version 1607 for IT Pros Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update). @@ -103,12 +103,12 @@ Windows Information Protection (WIP) helps to protect against this potential dat ### Windows Defender Several new features and management options have been added to Windows Defender in Windows 10, version 1607. -- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. -- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. -- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). -- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. +- [Windows Defender Offline in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. ### Windows Defender Advanced Threat Protection (ATP) With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 1a4c0d57c0..2f32d6a64d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1703 -description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated). +description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). keywords: ["What's new in Windows 10", "Windows 10", "creators update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: greglin ms.topic: article --- -# What's new in Windows 10, version 1703 IT pro content +# What's new in Windows 10, version 1703 for IT Pros Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). @@ -107,7 +107,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10 - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed - **Investigation**
                - Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations. + Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations. Other investigation enhancements include: - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. @@ -127,30 +127,30 @@ You can read more about ransomware mitigations and detection capability in Windo Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787). -### Windows Defender Antivirus -Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +### Microsoft Defender Antivirus +Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on: -- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) -- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) -- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) -- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) -- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) +- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus) +- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) +- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus) +- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) +- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus) Some of the highlights of the new library include: -- [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) -- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus) +- [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) +- [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus) -New features for Windows Defender AV in Windows 10, version 1703 include: +New features for Microsoft Defender AV in Windows 10, version 1703 include: -- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) -- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) -- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) +- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) +- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus) -In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). -You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). +You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). ### Device Guard and Credential Guard diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index ef9b4541f0..468c6ddce9 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1709 -description: New and updated IT Pro content about new features in Windows 10, version 1709 (also known as the Fall Creators Update). +description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). keywords: ["What's new in Windows 10", "Windows 10", "Fall Creators Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1709 IT Pro content +# What's new in Windows 10, version 1709 for IT Pros **Applies to** - Windows 10, version 1709 @@ -95,7 +95,8 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is ### Window Defender Exploit Guard -Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/network-protection). +Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection). + ### Windows Defender Device Guard @@ -129,7 +130,7 @@ Upgrade Readiness provides insights into application and driver compatibility is ### Update Compliance -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). ### Device Health @@ -149,3 +150,7 @@ Several network stack enhancements are available in this release. Some of these [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
                [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
                [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. +[Threat protection on Windows 10](https://docs.microsoft.com/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
                + + + diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 051d5d4b6e..93bcfb411b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1803 -description: New and updated IT Pro content about new features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). +description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1803 IT Pro content +# What's new in Windows 10, version 1803 for IT Pros **Applies to** - Windows 10, version 1803 @@ -171,9 +171,9 @@ In the Feedback and Settings page under Privacy Settings you can now delete the The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. -### Windows Defender Antivirus +### Microsoft Defender Antivirus -Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). +Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). ### Windows Defender Exploit Guard diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index e5ab713e82..ba0090d559 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -107,9 +107,9 @@ See the following example: Windows Defender Security Center is now called **Windows Security Center**. -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index f13c8d694c..aed8001e95 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1903 -description: New and updated IT Pro content about new features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). +description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1903 IT Pro content +# What's new in Windows 10, version 1903 for IT Pros **Applies to** - Windows 10, version 1903 @@ -53,7 +53,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update ## Servicing -- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! +- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! - [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. @@ -83,7 +83,7 @@ The draft release of the [security configuration baseline settings](https://blog ### Microsoft Defender Advanced Threat Protection (ATP): - [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. -- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. +- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers. - [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. @@ -138,7 +138,7 @@ This new feature is displayed under the Device Security page with the string “ - [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. - [Windows Security app](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. -- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. +- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. ## Microsoft Edge diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 89e6ad37a5..27fc2277eb 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1909 -description: New and updated IT Pro content about new features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). +description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1909 IT Pro content +# What's new in Windows 10, version 1909 for IT Pros **Applies to** - Windows 10, version 1909 @@ -60,10 +60,6 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190 ## Virtualization -### Containers on Windows - -This update includes 5 fixes to allow the host to run down-level containers on up-level for process (Argon) isolation. Previously [Containers on Windows](https://docs.microsoft.com/virtualization/windowscontainers/) required matched host and container version. This limited Windows containers from supporting mixed-version container pod scenarios. - ### Windows Sandbox [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation. @@ -72,13 +68,13 @@ This update includes 5 fixes to allow the host to run down-level containers on u [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) (WVD) is now generally available globally! -Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant. +Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant. ## Deployment #### Microsoft Endpoint Manager -Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now are [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). +Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). ### Windows 10 Pro and Enterprise in S mode diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md new file mode 100644 index 0000000000..0740a2c4fd --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -0,0 +1,243 @@ +--- +title: What's new in Windows 10, version 2004 +description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). +keywords: ["What's new in Windows 10", "Windows 10", "May 2020 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10, version 2004 for IT Pros + +**Applies to** +- Windows 10, version 2004 + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909. To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update). + +> [!NOTE] +> The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003. + +## Security + +### Windows Hello + +- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. +- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. +- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). + +### Windows Defender System Guard + +In this release, [Windows Defender System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO. + +With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon. + + ![System Guard](images/system-guard2.png) + +### Windows Defender Application Guard + +[Windows Defender Application Guard](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020. + +Note: [Application Guard for Office](https://support.office.com/article/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46) is coming soon. + +## Deployment + +### Windows Setup + +Improvements in Windows Setup with this release include: +- Reduced offline time during feature updates +- Improved controls for reserved storage +- Improved controls and diagnostics +- New recovery options + +For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464). + +### SetupDiag + +In Windows 10, version 2004, SetupDiag is now automatically installed. + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. + +During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. + +### Windows Autopilot + +With this release, you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. + +If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles. + +### Microsoft Endpoint Manager + +An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). + +Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/whats-new). + +### Windows Assessment and Deployment Toolkit (ADK) + +Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). + +For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). + +### Microsoft Deployment Toolkit (MDT) + +MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. This issue is currently under investigation. + +For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes). + +## Servicing + +### Delivery Optimization + +Windows PowerShell cmdlets have been improved: + +- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). +- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. +- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. + +Additional improvements: +- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. +- Automatic cloud-based congestion detection is available for PCs with cloud service support. + +The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release: + +- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) + - Reason: Replaced with separate policies for foreground and background +- Max Upload Bandwidth (DOMaxUploadBandwidth) + - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. +- Absolute max throttle (DOMaxDownloadBandwidth) + - Reason: separated to foreground and background + +### Windows Update for Business + +[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include: +- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. +- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. + +## Virtualization + +### Windows Sandbox + +[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bug fixes and enables even more control over configuration. + +[Windows Sandbox configuration](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes: +- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop. +- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox. +- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This is disabled by default due to issues with copy & paste. +- PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox. +- ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox. +- MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox. + +Windows Media Player is also added back to the Sandbox image in this release. + +Windows Sandbox also has improved accessibility in this release, including: +- Microphone support is available. +- Added functionality to configure the audio input device via the Windows Sandbox config file. +- A Shift + Alt + PrintScreen key sequence that activates the ease of access dialog for enabling high contrast mode. +- A ctrl + alt + break key sequence that allows entering/exiting fullscreen mode. + +### Windows Subsystem for Linux (WSL) + +With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed. + +[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support is has been added for ARM64 devices if your device supports virtualization. + +For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes). + +### Windows Virtual Desktop (WVD) + +Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](https://aka.ms/wvdgetstarted) for the latest and greatest information, as well as the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent). + +## Microsoft Edge + +Read about plans for the new Microsoft Edge and other innovations announced at [Build 2020](https://blogs.windows.com/msedgedev/2020/05/19/microsoft-edge-news-developers-build-2020/) and [What's new at Microsoft Edge Insider](https://www.microsoftedgeinsider.com/whats-new). + +Also see information about the exciting new Edge browser [here](https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/). + +## Application settings + +This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC. + +## Windows Shell + +Several enhancements to the Windows 10 user interface are implemented in this release: + +### Cortana + +[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004: +- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US. + - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users. +- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms. +- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop. + +For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020). + +### Windows Search + +Windows Search is improved in several ways. For more information, see [Supercharging Windows Search](https://aka.ms/AA8kllm). + +### Virtual Desktops + +You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1. + +### Bluetooth pairing + +Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/at-home/Whats-new-wip-at-home-20h1#improving-your-bluetooth-pairing-experience-build-18985). + +### Reset this PC + +The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option. + +### Task Manager + +The following items are added to Task Manager in this release: +- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card. +- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898). + +## Graphics & display + +### DirectX + +[New DirectX 12 features](https://devblogs.microsoft.com/directx/dev-preview-of-new-directx-12-features/) are available in this release. + +### 2-in-1 PCs + +A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption. + +### Specialized displays + +With this update, devices running Windows 10 Enterprise or Windows 10 Pro for Workstations with multiple displays can be configured to prevent Windows from using a display, making it available for a specialized purpose. + +Examples include: +- Fixed-function arcade & gaming such as cockpit, driving, flight, and military simulators +- Medical imaging devices with custom panels, such as grayscale X-ray displays +- Video walls like those displayed in Microsoft Store +- Dedicated video monitoring +- Monitor panel testing and validation +- Independent Hardware Vendor (IHV) driver testing and validation + +To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use. + +## Desktop Analytics + +[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license. + +For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new). + +## See Also + +[What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
                +[What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
                +[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
                +[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
                +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
                +[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
                +[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.
                +[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
                +[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
                +[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
        Group Policy setting
        Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreenEnable. Turns on Windows Defender SmartScreen.Enable. Turns on Microsoft Defender SmartScreen.
        Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
        Browser/AllowSmartScreen1. Turns on Windows Defender SmartScreen.1. Turns on Microsoft Defender SmartScreen.
        Browser/PreventSmartScreenPromptOverride
        SmartScreen/EnableSmartScreenInShell1. Turns on Windows Defender SmartScreen in Windows.

        Requires at least Windows 10, version 1703.

        		1. Turns on Microsoft Defender SmartScreen in Windows.

        Requires at least Windows 10, version 1703.
        SmartScreen/PreventOverrideForFilesInShell

        • Null Page

        		Mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic.Mitigations for this threat are built into Windows 10, as described in the "Memory reservations" item in Kernel pool protections, earlier in this topic.
          @@ -352,9 +352,9 @@ to Windows 10 features

        • Caller Check

        • Simulate Execution Flow

        • Stack Pivot

          • -

        • Deep Hooks (an ROP “Advanced Mitigation”)

          • -

        • Anti Detours (an ROP “Advanced Mitigation”)

          • -

        • Banned Functions (an ROP “Advanced Mitigation”)

          • +

        • Deep Hooks (an ROP "Advanced Mitigation")

          • +

        • Anti Detours (an ROP "Advanced Mitigation")

          • +

        • Banned Functions (an ROP "Advanced Mitigation")

        		 Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in Control Flow Guard, earlier in this topic.