deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into onboard-offline

Browse Source
This commit is contained in:
Joey Caparas 2019-04-19 15:33:10 -07:00
commit a6e37143aa
136 changed files with 1367 additions and 912 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

397
.openpublishing.publish.config.json
View File

@ -2,46 +2,13 @@
"build_entry_point": "",
"docsets_to_publish": [
{
"docset_name": "bcs-VSTS",
"build_source_folder": "bcs",
"build_output_subfolder": "bcs-VSTS",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "education-VSTS",
"docset_name": "education",
"build_source_folder": "education",
"build_output_subfolder": "education-VSTS",
"locale": "en-us",
"monikers": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
},
{
"docset_name": "eula-vsts",
"build_source_folder": "windows/eulas",
"build_output_subfolder": "eula-vsts",
"build_output_subfolder": "education",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
@ -51,44 +18,12 @@
"template_folder": "_themes"
},
{
"docset_name": "gdpr",
"build_source_folder": "gdpr",
"build_output_subfolder": "gdpr",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "internet-explorer-VSTS",
"build_source_folder": "browsers/internet-explorer",
"build_output_subfolder": "internet-explorer-VSTS",
"locale": "en-us",
"monikers": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
},
{
"docset_name": "itpro-hololens-VSTS",
"docset_name": "hololens",
"build_source_folder": "devices/hololens",
"build_output_subfolder": "itpro-hololens-VSTS",
"build_output_subfolder": "hololens",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -96,35 +31,32 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "keep-secure-VSTS",
"docset_name": "internet-explorer",
"build_source_folder": "browsers/internet-explorer",
"build_output_subfolder": "internet-explorer",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "keep-secure",
"build_source_folder": "windows/keep-secure",
"build_output_subfolder": "keep-secure-VSTS",
"locale": "en-us",
"monikers": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
},
{
"docset_name": "known-issues",
"build_source_folder": "windows/known-issues",
"build_output_subfolder": "known-issues",
"build_output_subfolder": "keep-secure",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
@ -134,11 +66,12 @@
"template_folder": "_themes"
},
{
"docset_name": "mdop-VSTS",
"docset_name": "mdop",
"build_source_folder": "mdop",
"build_output_subfolder": "mdop-VSTS",
"build_output_subfolder": "mdop",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -146,31 +79,12 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "microsoft-edge-VSTS",
"docset_name": "microsoft-edge",
"build_source_folder": "browsers/edge",
"build_output_subfolder": "microsoft-edge-VSTS",
"locale": "en-us",
"monikers": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
},
{
"docset_name": "privacy",
"build_source_folder": "windows/privacy",
"build_output_subfolder": "privacy",
"build_output_subfolder": "microsoft-edge",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
@ -184,9 +98,9 @@
"template_folder": "_themes"
},
{
"docset_name": "security",
"build_source_folder": "windows/security",
"build_output_subfolder": "security",
"docset_name": "release-information",
"build_source_folder": "windows/release-information",
"build_output_subfolder": "release-information",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
@ -194,18 +108,18 @@
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content",
"LandingData": "Content"
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "smb-VSTS",
"docset_name": "smb",
"build_source_folder": "smb",
"build_output_subfolder": "smb-VSTS",
"build_output_subfolder": "smb",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -213,16 +127,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "store-for-business-VSTS",
"docset_name": "store-for-business",
"build_source_folder": "store-for-business",
"build_output_subfolder": "store-for-business-VSTS",
"build_output_subfolder": "store-for-business",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -230,33 +143,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "surface-hub-VSTS",
"build_source_folder": "devices/surface-hub",
"build_output_subfolder": "surface-hub-VSTS",
"locale": "en-us",
"monikers": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
},
{
"docset_name": "surface-VSTS",
"docset_name": "surface",
"build_source_folder": "devices/surface",
"build_output_subfolder": "surface-VSTS",
"build_output_subfolder": "surface",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -264,16 +159,31 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "win-access-protection-VSTS",
"docset_name": "surface-hub",
"build_source_folder": "devices/surface-hub",
"build_output_subfolder": "surface-hub",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-access-protection",
"build_source_folder": "windows/access-protection",
"build_output_subfolder": "win-access-protection-VSTS",
"build_output_subfolder": "win-access-protection",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -281,16 +191,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "win-app-management-VSTS",
"docset_name": "win-app-management",
"build_source_folder": "windows/application-management",
"build_output_subfolder": "win-app-management-VSTS",
"build_output_subfolder": "win-app-management",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -298,16 +207,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "win-client-management-VSTS",
"docset_name": "win-client-management",
"build_source_folder": "windows/client-management",
"build_output_subfolder": "win-client-management-VSTS",
"build_output_subfolder": "win-client-management",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -315,16 +223,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "win-configuration-VSTS",
"docset_name": "win-configuration",
"build_source_folder": "windows/configuration",
"build_output_subfolder": "win-configuration-VSTS",
"build_output_subfolder": "win-configuration",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -332,16 +239,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "win-development-VSTS",
"docset_name": "win-deployment",
"build_source_folder": "windows/deployment",
"build_output_subfolder": "win-development-VSTS",
"build_output_subfolder": "win-deployment",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -349,16 +255,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "win-device-security-VSTS",
"docset_name": "win-device-security",
"build_source_folder": "windows/device-security",
"build_output_subfolder": "win-device-security-VSTS",
"build_output_subfolder": "win-device-security",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -366,16 +271,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "windows-configure-VSTS",
"docset_name": "windows-configure",
"build_source_folder": "windows/configure",
"build_output_subfolder": "windows-configure-VSTS",
"build_output_subfolder": "windows-configure",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -383,16 +287,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "windows-deploy-VSTS",
"docset_name": "windows-deploy",
"build_source_folder": "windows/deploy",
"build_output_subfolder": "windows-deploy-VSTS",
"build_output_subfolder": "windows-deploy",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -400,16 +303,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "windows-hub-VSTS",
"docset_name": "windows-hub",
"build_source_folder": "windows/hub",
"build_output_subfolder": "windows-hub-VSTS",
"build_output_subfolder": "windows-hub",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -417,16 +319,31 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "windows-manage-VSTS",
"docset_name": "windows-known-issues",
"build_source_folder": "windows/known-issues",
"build_output_subfolder": "windows-known-issues",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-manage",
"build_source_folder": "windows/manage",
"build_output_subfolder": "windows-manage-VSTS",
"build_output_subfolder": "windows-manage",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -434,16 +351,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "windows-plan-VSTS",
"docset_name": "windows-plan",
"build_source_folder": "windows/plan",
"build_output_subfolder": "windows-plan-VSTS",
"build_output_subfolder": "windows-plan",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -451,16 +367,47 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "windows-update-VSTS",
"docset_name": "windows-privacy",
"build_source_folder": "windows/privacy",
"build_output_subfolder": "windows-privacy",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-security",
"build_source_folder": "windows/security",
"build_output_subfolder": "windows-security",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-update",
"build_source_folder": "windows/update",
"build_output_subfolder": "windows-update-VSTS",
"build_output_subfolder": "windows-update",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -468,16 +415,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "win-threat-protection-VSTS",
"docset_name": "win-threat-protection",
"build_source_folder": "windows/threat-protection",
"build_output_subfolder": "win-threat-protection-VSTS",
"build_output_subfolder": "win-threat-protection",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -485,16 +431,15 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
},
{
"docset_name": "win-whats-new-VSTS",
"docset_name": "win-whats-new",
"build_source_folder": "windows/whats-new",
"build_output_subfolder": "win-whats-new-VSTS",
"build_output_subfolder": "win-whats-new",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
@ -502,9 +447,7 @@
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"moniker_groups": [],
"version": 0
"template_folder": "_themes"
}
],
"notification_subscribers": [
@ -544,10 +487,6 @@
"master": [
"Publish",
"Pdf"
],
"atp-api-danm": [
"Publish",
"Pdf"
]
},
"need_generate_pdf_url_template": true,

20
.openpublishing.redirection.json
View File

@ -6,21 +6,6 @@
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-security-baselines.md",
"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/security-compliance-toolkit-10.md",
"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/get-support-for-security-baselines.md",
"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
"redirect_document_id": true
@ -13959,5 +13944,10 @@
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-indicators",
"redirect_document_id": true
},
]
}

5
browsers/edge/docfx.json
View File

@ -24,7 +24,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.microsoft-edge"
"depot_name": "Win.microsoft-edge",
"folder_relative_path_in_docset": "./"
}
}
},
@ -34,4 +35,4 @@
"dest": "browsers/edge",
"markdownEngineName": "dfm"
}
}
}

5
browsers/internet-explorer/docfx.json
View File

@ -27,7 +27,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.internet-explorer"
"depot_name": "Win.internet-explorer",
"folder_relative_path_in_docset": "./"
}
}
},
@ -37,4 +38,4 @@
"dest": "edges/internet-explorer",
"markdownEngineName": "dfm"
}
}
}

2
devices/hololens/TOC.md
View File

@ -12,6 +12,6 @@
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Install apps on HoloLens](hololens-install-apps.md)
## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
## [Restart, reset, or recover HoloLens 2](hololens-recovery.md)
## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
## [How HoloLens stores data for spaces](hololens-spaces.md)
## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

2
devices/hololens/change-history-hololens.md
View File

@ -19,7 +19,7 @@ This topic lists new and updated topics in the [Microsoft HoloLens documentation
New or changed topic | Description
--- | ---
[Restart, reset, or recover HoloLens 2](hololens-recovery.md) | New
[Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) | New
## November 2018

3
devices/hololens/docfx.json
View File

@ -40,7 +40,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.itpro-hololens"
"depot_name": "Win.itpro-hololens",
"folder_relative_path_in_docset": "./"
}
}
},

8
devices/hololens/hololens-recovery.md
View File

@ -1,5 +1,5 @@
---
title: Restart, reset, or recover HoloLens 2
title: Restore HoloLens 2 using Advanced Recovery Companion
description: How to use Advanced Recovery Companion to flash an image to HoloLens 2.
ms.prod: hololens
ms.sitesec: library
@ -9,7 +9,7 @@ ms.topic: article
ms.localizationpriority: medium
---
# Restart, reset, or recover HoloLens 2
# Restore HoloLens 2 using Advanced Recovery Companion
>[!TIP]
>If you're having issues with HoloLens (the first device released), see [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens). Advanced Recovery Companion is only supported for HoloLens 2.
@ -49,7 +49,7 @@ To reset your HoloLens 2, go to **Settings > Update > Reset** and select **Reset
If the device is still having a problem after reset, you can use Advanced Recovery Companion to flash the device with a new image.
1. On your computer, get [Advanced Recovery Companion](need store link) from Microsoft Store.
1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store.
2. Connect HoloLens 2 to your computer.
3. Start Advanced Recovery Companion.
4. On the **Welcome** page, select your device.
@ -57,4 +57,4 @@ If the device is still having a problem after reset, you can use Advanced Recove
6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device.
>[!NOTE]
>[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats)
>[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats)

1
devices/surface-hub/TOC.md
View File

@ -41,6 +41,7 @@
### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md)
### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md)
### [Using a room control system](use-room-control-system-with-surface-hub.md)
### [Implement Quality of Service on Surface Hub](surface-hub-qos.md)
### [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md)
### [Surface Hub SSD replacement](surface-hub-ssd-replacement.md)
## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)

7
devices/surface-hub/admin-group-management-for-surface-hub.md
View File

@ -64,8 +64,11 @@ Surface Hubs use Azure AD join to:
- Grant admin rights to the appropriate users in your Azure AD tenant.
- Backup the device's BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
> [!IMPORTANT]
> Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
### Automatic enrollment via Azure Active Directory join
Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory.
For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment).
### Which should I choose?

1
devices/surface-hub/change-history-surface-hub.md
View File

@ -22,6 +22,7 @@ New or changed topic | Description
[Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec)
[Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec)
[Surface Hub SSD replacement](surface-hub-ssd-replacement.md) | New; previously available for download only
[Implement Quality of Service on Surface Hub](surface-hub-qos.md) | New
## July 2018

5
devices/surface-hub/docfx.json
View File

@ -29,7 +29,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.surface-hub"
"depot_name": "Win.surface-hub",
"folder_relative_path_in_docset": "./"
}
}
},
@ -39,4 +40,4 @@
"dest": "devices/surface-hub",
"markdownEngineName": "dfm"
}
}
}

BIN
devices/surface-hub/images/qos-create.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
devices/surface-hub/images/qos-setting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

51
devices/surface-hub/surface-hub-qos.md Normal file
View File

@ -0,0 +1,51 @@
---
title: Implement Quality of Service on Surface Hub
description: Learn how to configure QoS on Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
---
# Implement Quality of Service (QoS) on Surface Hub
Quality of Service (QoS) is a combination of network technologies that allows the administrators to optimize the experience of real time audio/video and application sharing communications.
Configuring [QoS for Skype for Business](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp) on the Surface Hub can be done using your [mobile device management (MDM) provider](manage-settings-with-mdm-for-surface-hub.md) or through a [provisioning package](provisioning-packages-for-surface-hub.md).
This procedure explains how to configure QoS for Surface Hub using Microsoft Intune.
1. In Intune, [create a custom policy](https://docs.microsoft.com/intune/custom-settings-configure).
![Screenshot of custom policy creation dialog in Intune](images/qos-create.png)
2. In **Custom OMA-URI Settings**, select **Add**. For each setting that you add, you will enter a name, description (optional), data type, OMA-URI, and value.
![Screenshot of a blank OMA-URI setting dialog box](images/qos-setting.png)
3. Add the following custom OMA-URI settings:
Name | Data type | OMA-URI<br>./Device/Vendor/MSFT/NetworkQoSPolicy | Value
--- | --- | --- | ---
Audio Source Port | String | /HubAudio/SourcePortMatchCondition | Get the values from your Skype administrator
Audio DSCP | Integer | /HubAudio/DSCPAction | 46
Video Source Port | String | /HubVideo/SourcePortMatchCondition | Get the values from your Skype administrator
Video DSCP | Integer | /HubVideo/DSCPAction | 34
Audio Process Name | String | /HubAudio/AppPathNameMatchCondition | Microsoft.PPISkype.Windows.exe
Video Process Name | String | /HubVideo/AppPathNameMatchCondition | Microsoft.PPISkype.Windows.exe
>[!IMPORTANT]
>Each **OMA-URI** path begins with `./Device/Vendor/MSFT/NetworkQoSPolicy`. The full path for the audio source port setting, for example, will be `./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition`.
4. When the policy has been created, [deploy it to the Surface Hub.](manage-settings-with-mdm-for-surface-hub.md#manage-surface-hub-settings-with-mdm)
>[!WARNING]
>Currently, you cannot configure the setting **IPProtocolMatchCondition** in the [NetworkQoSPolicy CSP](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp). If this setting is configured, the policy will fail to apply.

5
devices/surface/docfx.json
View File

@ -26,7 +26,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.surface"
"depot_name": "Win.surface",
"folder_relative_path_in_docset": "./"
}
}
},
@ -36,4 +37,4 @@
"dest": "devices/surface",
"markdownEngineName": "dfm"
}
}
}

3
education/docfx.json
View File

@ -26,7 +26,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.education"
"depot_name": "Win.education",
"folder_relative_path_in_docset": "./"
}
}
},

5
mdop/docfx.json
View File

@ -27,7 +27,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.mdop"
"depot_name": "Win.mdop",
"folder_relative_path_in_docset": "./"
}
}
},
@ -37,4 +38,4 @@
"dest": "mdop",
"markdownEngineName": "dfm"
}
}
}

5
smb/docfx.json
View File

@ -36,7 +36,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "TechNet.smb"
"depot_name": "TechNet.smb",
"folder_relative_path_in_docset": "./"
}
}
},
@ -45,4 +46,4 @@
"dest": "smb",
"markdownEngineName": "dfm"
}
}
}

9
store-for-business/distribute-offline-apps.md
View File

@ -63,9 +63,12 @@ There are several items to download or create for offline-licensed apps. The app
**To download an offline-licensed app**
1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then choose **Apps & software**.
3. Refine results by **License type** to show apps with offline licenses.
4. Find the app you want to download, click the ellipses under **Actions**, and then choose **Download for offline use**.
2. Click **Manage**.
3. Under **Shopping Experience**, set **Show offline apps** to **On**.
4. Click **Shop for my group**. Search for the required inbox-app, select it, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory.
5. Click **Manage**. You now have access to download the appx bundle package metadata and license file.
6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.)
- **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional.
- **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required.
- **To download an app license**: Choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license. This is required.

5
store-for-business/docfx.json
View File

@ -43,7 +43,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.store-for-business"
"depot_name": "MSDN.store-for-business",
"folder_relative_path_in_docset": "./"
}
}
},
@ -52,4 +53,4 @@
"dest": "store-for-business",
"markdownEngineName": "dfm"
}
}
}

5
windows/access-protection/docfx.json
View File

@ -38,7 +38,8 @@
"ms.author": "justinha",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-access-protection"
"depot_name": "MSDN.win-access-protection",
"folder_relative_path_in_docset": "./"
}
}
},
@ -46,4 +47,4 @@
"template": [],
"dest": "win-access-protection"
}
}
}

5
windows/application-management/docfx.json
View File

@ -41,7 +41,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-app-management"
"depot_name": "MSDN.win-app-management",
"folder_relative_path_in_docset": "./"
}
}
},
@ -50,4 +51,4 @@
"dest": "win-app-management",
"markdownEngineName": "dfm"
}
}
}

5
windows/client-management/docfx.json
View File

@ -40,7 +40,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-client-management"
"depot_name": "MSDN.win-client-management",
"folder_relative_path_in_docset": "./"
}
}
},
@ -49,4 +50,4 @@
"dest": "win-client-management",
"markdownEngineName": "dfm"
}
}
}

6
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -338,7 +338,7 @@ Delete a provider
</SyncML>
```
<a href="" id="etwlog-collectors-collectorname-providers-provderguid-tracelevel"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/TraceLevel**
<a href="" id="etwlog-collectors-collectorname-providers-providerguid-tracelevel"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/TraceLevel**
Specifies the level of detail included in the trace log.
The data type is an integer.
@ -407,7 +407,7 @@ Set provider **TraceLevel**
</SyncML>
```
<a href="" id="etwlog-collectors-collectorname-providers-provderguid-keywords"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/Keywords**
<a href="" id="etwlog-collectors-collectorname-providers-providerguid-keywords"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**
Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
the data type is a string.
@ -461,7 +461,7 @@ Set provider **Keywords**
</SyncML>
```
<a href="" id="etwlog-collectors-collectorname-providers-provderguid-state"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/State**
<a href="" id="etwlog-collectors-collectorname-providers-providerguid-state"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/State**
Specifies if this provider is enabled in the trace session.
The data type is a boolean.

4
windows/client-management/mdm/networkproxy-csp.md
View File

@ -76,8 +76,8 @@ The data type is string. Supported operations are Get and Replace. Starting in W
Specifies whether the proxy server should be used for local (intranet) addresses. 
Valid values:
<ul>
<li>0 (default) - Do not use proxy server for local addresses</li>
<li>1 - Use proxy server for local addresses</li>
<li>0 (default) - Use proxy server for local addresses</li>
<li>1 - Do not use proxy server for local addresses</li>
</ul>
The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.

9
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -66,6 +66,15 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
```
<Data></Data>
```
If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (`<![CDATA[...]]>`) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.
> [!Note]
> `&#xF000;` is the entity encoding of 0xF000.
For example, the following syntax grants user rights to Authenticated Users and Replicator user groups:
```
<![CDATA[Authenticated Users&#xF000;Replicator]]>
```
<hr/>

1
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -20,6 +20,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
New or changed topic | Description
--- | ---
[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Added information for Shell Launcher v2, coming in the next feature update to Windows 10.
[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added new recommendations for policies to manage updates.
## February 2019

5
windows/configuration/docfx.json
View File

@ -41,7 +41,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-configuration"
"depot_name": "MSDN.win-configuration",
"folder_relative_path_in_docset": "./"
}
}
},
@ -50,4 +51,4 @@
"dest": "win-configuration",
"markdownEngineName": "dfm"
}
}
}

BIN
windows/configuration/images/slv2-oma-uri.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

3
windows/configuration/kiosk-additional-reference.md
View File

@ -8,7 +8,6 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
ms.date: 09/13/2018
ms.topic: reference
---
@ -30,7 +29,7 @@ Topic | Description
[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk.
[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration.
[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps.
[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface.
[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface.
[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.

6
windows/configuration/kiosk-methods.md
View File

@ -12,6 +12,9 @@ ms.topic: article
# Configure kiosks and digital signs on Windows desktop editions
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use:
| | |
@ -43,6 +46,7 @@ You can use this method | For this edition | For this kiosk account type
[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD
[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
<span id="classic" />
## Methods for a single-app kiosk running a Windows desktop application
@ -50,8 +54,8 @@ You can use this method | For this edition | For this kiosk account type
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD
[Shell Launcher](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD
[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
<span id="desktop" />
## Methods for a multi-app kiosk

111
windows/configuration/kiosk-shelllauncher.md
View File

@ -1,6 +1,6 @@
---
title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10)
description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
description: Shell Launcher lets you change the default shell that launches when a user signs in to a device.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
ms.prod: w10
@ -8,7 +8,6 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
ms.date: 10/01/2018
ms.topic: article
---
@ -16,26 +15,36 @@ ms.topic: article
**Applies to**
>App type: Windows desktop application
>
>OS edition: Windows 10 Ent, Edu
>
>Account type: Local standard user or administrator, Active Directory, Azure AD
- Windows 10 Ent, Edu
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, version 1809 and earlier, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in the next feature update to Windows 10, you can also specify a UWP app as the replacement shell.
>[!NOTE]
>Using the Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
>
>Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to:
>- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools
>- [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
>- [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm) - Enterprise management of device security policies
>
>You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](kiosk-single-app.md#wizard).
You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10, version 1803 and later, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
## Differences between Shell Launcher v1 and Shell Launcher v2
Shell Launcher v1 replaces `explorer.exe`, the default shell, with `eshell.exe` which can launch a Windows desktop application.
Shell Launcher v2 replaces `explorer.exe` with `customshellhost.exe`. This new executable file can launch a Windows desktop application or a UWP app.
In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers additional enhancements:
- You can use a custom Windows desktop application that can then launch UWP apps, such as **Settings** and **Touch Keyboard**.
- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
- The custom shell app runs in full screen, and and can run other apps in full screen on users demand.
For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2).
## Requirements
@ -44,16 +53,15 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
>
>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.
- A domain or local user account.
- A domain, Azure Active Directory, or local user account.
- A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
[See the technical reference for the shell launcher component.](https://docs.microsoft.com/windows-hardware/customize/enterprise/shell-launcher)
## Enable Shell Launcher feature
## Configure Shell Launcher
To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
To set a custom shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell or MDM.
**To turn on Shell Launcher in Windows features**
@ -63,7 +71,7 @@ To set a Windows desktop application as the shell, you first turn on the Shell L
2. Select **Shell Launcher** and **OK**.
Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool.
Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool.
**To turn on Shell Launcher using DISM**
@ -74,9 +82,70 @@ Alternatively, you can turn on Shell Launcher using Windows Configuration Design
Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
```
**To set your custom shell**
Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
## Configure a custom shell in MDM
You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM.
### XML for Shell Launcher configuration
The following XML sample works for **Shell Launcher v1**:
```
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration">
<Profiles>
<Profile ID="{24A7309204F3F-44CC-8375-53F13FE213F7}">
<Shell Shell="%ProgramFiles%\Internet Explorer\iexplore.exe -k www.bing.com" />
</Profile>
</Profiles>
<Configs>
<!--local account-->
<Account Name="ShellLauncherUser"/>
<Profile ID="{24A7309204F3F-44CC-8375-53F13FE213F7}"/>
</Configs>
</ShellLauncherConfiguration>
```
For **Shell Launcher v2**, you will use a different schema reference and a different app type for `Shell`, as shown in the following example.
```
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="ShellLauncherV2DemoUwp_5d7tap497jwe8!App" v2:AppType="UWP" v2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
</Shell>
</DefaultProfile>
</Profiles>
<Configs/>
</ShellLauncherConfiguration>
```
>[!TIP]
>In the XML for Shell Launcher v2, note the **AllAppsFullScreen** attribute. When set to **True**, Shell Launcher will run every app in full screen, or maximized for desktop apps. When this attribute is set to **False** or not set, only the custom shell app runs in full screen; other apps launched by the user will run in windowed mode.
[Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
### Custom OMA-URI setting
In your MDM service, you can create a [custom OMA-URI setting](https://docs.microsoft.com/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)` instead.
![Screenshot of custom OMA-URI settings](images/slv2-oma-uri.png)
After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups.
## Configure a custom shell using PowerShell
For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md).
For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```
# Check if shell launcher license is enabled

2
windows/configuration/kiosk-single-app.md
View File

@ -171,8 +171,6 @@ Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517).
To remove assigned access, using PowerShell, run the following cmdlet.
```

2
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -39,10 +39,10 @@ New features and improvements | In update
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
>[!TIP]
>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
<span id="intune"/>
## Configure a kiosk in Microsoft Intune

2
windows/configuration/setup-digital-signage.md
View File

@ -25,8 +25,6 @@ For digital signage, simply select a digital sign player as your kiosk app. You
>[!TIP]
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
>
>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.

5
windows/deploy/docfx.json
View File

@ -32,7 +32,8 @@
"globalMetadata": {
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-deploy"
"depot_name": "MSDN.windows-deploy",
"folder_relative_path_in_docset": "./"
}
}
},
@ -40,4 +41,4 @@
"template": [],
"dest": "windows-deploy"
}
}
}

5
windows/deployment/docfx.json
View File

@ -42,7 +42,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-development"
"depot_name": "MSDN.win-development",
"folder_relative_path_in_docset": "./"
}
}
},
@ -51,4 +52,4 @@
"dest": "win-development",
"markdownEngineName": "dfm"
}
}
}

BIN
windows/deployment/images/wada.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 223 KiB

2
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -53,7 +53,7 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use.
Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog.
Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices within a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/You-can-now-check-on-the-status-of-your-computers-within-hours/ba-p/187213) on the Tech Community Blog.
>[!NOTE]
> If you generate the status report and get an error message saying "Sorry! Were not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it.

2
windows/deployment/update/windows-analytics-azure-portal.md
View File

@ -29,7 +29,7 @@ Go to the [Azure portal](https://portal.azure.com), select **All services**, and
It's important to understand the difference between Azure Active Directory and an Azure subscription:
**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (AD) is a separate service which sits by itself and is used by all of Azure and also Office 365.
**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (Azure AD) is a separate service which sits by itself and is used by all of Azure and also Office 365.
An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices.

5
windows/deployment/update/windows-as-a-service.md
View File

@ -18,14 +18,15 @@ Find the tools and resources you need to help deploy and support Windows as a se
Find the latest and greatest news on Windows 10 deployment and servicing.
**Working to make Windows updates clear and transparent**
> [!VIDEO https://www.youtube-nocookie.com/embed/u5P20y39DrA]
**Discovering the Windows 10 Update history pages**
> [!VIDEO https://www.youtube-nocookie.com/embed/GADIXBf9R58]
Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. The Windows update history page is for anyone looking to gain an immediate, precise understanding of particular Windows update issues.
The latest news:
<ul compact style="list-style: none">
<li><a href="https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency">Improving the Windows 10 update experience with control, quality and transparency</a> - April 4, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Call-to-action-review-your-Windows-Update-for-Business-deferral/ba-p/394244">Call to action: review your Windows Update for Business deferral values</a> - April 3, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540">Windows 10, version 1809 designated for broad deployment</a> - March 28, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience">Data, insights and listening to improve the customer experience</a> - March 6, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Getting-to-know-the-Windows-update-history-pages/ba-p/355079">Getting to know the Windows update history pages</a> - February 21, 2019</li>

6
windows/deployment/usmt/usmt-migrate-user-accounts.md
View File

@ -25,7 +25,7 @@ By default, all users are migrated. The only way to specify which users to inclu
- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
## <a href="" id="bkmk-migrateall"></a>To migrate all user accounts and user settings
Links to detailed explanations of commands are available in the Related Topics section.
1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
@ -49,7 +49,7 @@ By default, all users are migrated. The only way to specify which users to inclu
 
## <a href="" id="bkmk-migratetwo"></a>To migrate two domain accounts (User1 and User2)
Links to detailed explanations of commands are available in the Related Topics section.
1. Log on to the source computer as an administrator, and specify:
@ -62,7 +62,7 @@ By default, all users are migrated. The only way to specify which users to inclu
`loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
## <a href="" id="bkmk-migratemoveuserone"></a>To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
Links to detailed explanations of commands are available in the Related Topics section.
1. Log on to the source computer as an administrator, and type the following at the command-line prompt:

5
windows/device-security/docfx.json
View File

@ -39,7 +39,8 @@
"ms.date": "04/05/2017",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-device-security"
"depot_name": "MSDN.win-device-security",
"folder_relative_path_in_docset": "./"
}
}
},
@ -47,4 +48,4 @@
"template": [],
"dest": "win-device-security"
}
}
}

5
windows/hub/docfx.json
View File

@ -44,7 +44,8 @@
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-hub"
"depot_name": "MSDN.windows-hub",
"folder_relative_path_in_docset": "./"
}
}
},
@ -53,4 +54,4 @@
"dest": "windows-hub",
"markdownEngineName": "dfm"
}
}
}

5
windows/keep-secure/docfx.json
View File

@ -32,7 +32,8 @@
"globalMetadata": {
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.keep-secure"
"depot_name": "MSDN.keep-secure",
"folder_relative_path_in_docset": "./"
}
}
},
@ -40,4 +41,4 @@
"template": [],
"dest": "keep-secure"
}
}
}

5
windows/manage/docfx.json
View File

@ -32,7 +32,8 @@
"globalMetadata": {
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-manage"
"depot_name": "MSDN.windows-manage",
"folder_relative_path_in_docset": "./"
}
}
},
@ -40,4 +41,4 @@
"template": [],
"dest": "windows-manage"
}
}
}

5
windows/plan/docfx.json
View File

@ -32,7 +32,8 @@
"globalMetadata": {
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-plan"
"depot_name": "MSDN.windows-plan",
"folder_relative_path_in_docset": "./"
}
}
},
@ -40,4 +41,4 @@
"template": [],
"dest": "windows-plan"
}
}
}

10
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -155,14 +155,18 @@ The following table defines the endpoints for Connected User Experiences and Tel
Windows release | Endpoint
--- | ---
Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1</br></br>Functional: v20.vortex-win.data.microsoft.com/collect/v1</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1</br>settings-win.data.microsoft.com
Windows 10, version 1607 | v10.vortex-win.data.microsoft.com</br></br>settings-win.data.microsoft.com
Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| Diagnostics data: v10c.vortex-win.data.microsoft.com</br></br>Functional: v20.vortex-win.data.microsoft.com</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>settings-win.data.microsoft.com
Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | Diagnostics data: v10.events.data.microsoft.com</br></br>Functional: v20.vortex-win.data.microsoft.com</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>settings-win.data.microsoft.com
Windows 10, version 1709 or earlier | Diagnostics data: v10.vortex-win.data.microsoft.com</br></br>Functional: v20.vortex-win.data.microsoft.com</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>settings-win.data.microsoft.com
Windows 7 and Windows 8.1 | vortex-win.data.microsoft.com
The following table defines the endpoints for other diagnostic data services:
| Service | Endpoint |
| - | - |
| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| | umwatsonc.events.data.microsoft.com |
| | kmwatsonc.events.data.microsoft.com |
| | ceuswatcab01.blob.core.windows.net |
| | ceuswatcab02.blob.core.windows.net |
| | eaus2watcab01.blob.core.windows.net |
@ -170,7 +174,7 @@ The following table defines the endpoints for other diagnostic data services:
| | weus2watcab01.blob.core.windows.net |
| | weus2watcab02.blob.core.windows.net |
| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
| OneDrive app for Windows 10 | vortex.data.microsoft.com |
### Data use and access

12
windows/privacy/docfx.json
View File

@ -36,13 +36,19 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"feedback_system": "GitHub",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app"
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.privacy",
"folder_relative_path_in_docset": "./"
}
}
},
"fileMetadata": {},
"template": [],
"dest": "privacy",
"markdownEngineName": "markdig"
}
}
}

18
windows/privacy/windows-diagnostic-data.md
View File

@ -22,13 +22,13 @@ Applies to:
- Windows 10, version 1803
- Windows 10, version 1709
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1803 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1809 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
The data covered in this article is grouped into the following types:
- Common data (diagnostic header information)
- Common data extensions (diagnostic header information)
- Device, Connectivity, and Configuration data
- Product and Service Usage data
- Product and Service Performance data
@ -36,15 +36,15 @@ The data covered in this article is grouped into the following types:
- Browsing History data
- Inking, Typing, and Speech Utterance data
## Common data
## Common data extensions
Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944:2017.
**Data Use for Common data**
**Data Use for Common data extensions**
Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
### Data Description for Common data type
### Data Description for Common data extensions type
#### Common data type
#### Common data extensions type
Information that is added to most diagnostic events, if relevant and available:
@ -506,6 +506,6 @@ Use of the specified data categories to promote a product or service in or on a
Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference:
- **<a name="#pseudo">Pseudonymized Data</a>** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
- **<a name="#anon">Anonymized Data</a>** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
- **<a name="#aggregate">Aggregated Data</a>** 8.3.6 Aggregated data. Microsoft usage notes are as defined.
- **<a name="pseudo">Pseudonymized Data</a>** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
- **<a name="anon">Anonymized Data</a>** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
- **<a name="aggregate">Aggregated Data</a>** 8.3.6 Aggregated data. Microsoft usage notes are as defined.

2
windows/release-information/TOC.yml Normal file
View File

@ -0,0 +1,2 @@
- name: Index
href: index.md

3
windows/release-information/breadcrumb/toc.yml Normal file
View File

@ -0,0 +1,3 @@
- name: Docs
tocHref: /
topicHref: /

47
windows/release-information/docfx.json Normal file
View File

@ -0,0 +1,47 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/release-information/breadcrumb/toc.json",
"extendBreadcrumb": true,
"feedback_system": "None"
},
"fileMetadata": {},
"template": [],
"dest": "release-information",
"markdownEngineName": "markdig"
}
}

3
windows/release-information/index.md Normal file
View File

@ -0,0 +1,3 @@
# Welcome to release-information!
test

12
windows/security/docfx.json
View File

@ -38,12 +38,18 @@
"ms.topic": "article",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"ms.author": "justinha"
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"ms.author": "justinha",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.security",
"folder_relative_path_in_docset": "./"
}
}
},
"fileMetadata": {},
"template": [],
"dest": "security",
"markdownEngineName": "dfm"
}
}
}

8
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -43,6 +43,14 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
To enforce processing of the group policy, you can run ```gpupdate /force```.
### Enable Windows Defender Credential Guard by using Intune
1. From **Home** click **Microsoft Intune**
2. Click **Device configuration**
3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
> [!NOTE]
> It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
### Enable Windows Defender Credential Guard by using the registry

4
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
View File

@ -35,9 +35,9 @@ On-premises certificate-based deployments of Windows Hello for Business needs th
## Enable Windows Hello for Business Group Policy
The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
## Use certificate for on-premises authentication

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -187,7 +187,7 @@ Joining a device is an extension to registering a device. This means, it provide
[Return to Top](hello-how-it-works-technology.md)
## Key Trust
The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
### Related topics
[Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -82,7 +82,7 @@ Organizations using older directory synchronization technology, such as DirSync
<br>
## Federation ##
Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
Windows Hello for Business hybrid certificate trust requires Active Directory being federated with Azure Active Directory and needs Windows Server 2016 Active Directory Federation Services or newer. Windows Hello for Business hybrid certificate trust doesnt support Managed Azure Active Directory using Pass-through authentication or password hash sync. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)

4
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -50,7 +50,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br> *Minimum:* Windows 10, version 1703<br> *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).</br>**Azure AD Joined:**<br> Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),<br> and</br>Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter |
@ -67,7 +67,7 @@ The table shows the minimum requirements for each deployment.
| Windows 10, version 1703 or later | Windows 10, version 1703 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema|
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) |
| AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter |

4
windows/security/identity-protection/remote-credential-guard.md
View File

@ -89,7 +89,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device:
- Must be running at least Windows 10, version 1703 to be able to supply credentials.
- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the users signed-in credentials. This requires the users account be able to sign in to both the client device and the remote host.
- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
@ -176,4 +176,4 @@ mstsc.exe /remoteGuard
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
- The server and client must authenticate using Kerberos.
- The server and client must authenticate using Kerberos.

10
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/02/2019
ms.date: 04/17/2019
---
# BitLocker Group Policy settings
@ -238,11 +238,11 @@ This policy setting is used to control which unlock options are available for op
 
**Reference**
If you want to use BitLocker on a computer without a TPM, select the **Allow BitLocker without a compatible TPM** check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive.
If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use:
- only the TPM for authentication
- only the TPM
- insertion of a USB flash drive containing the startup key
- the entry of a 4-digit to 20-digit personal identification number (PIN)
- a combination of the PIN and the USB flash drive
@ -392,7 +392,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p
| **Policy description** | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
| **Introduced** | Windows 10, version 1703 |
| **Drive type** | Operating system drives |
| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
| **Conflicts** | None |
| **When enabled** | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
| **When disabled or not configured** | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|

6
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.date: 04/17/2019
---
# Prepare your organization for BitLocker: Planning and policies
@ -163,9 +163,9 @@ Full drive encryption means that the entire drive will be encrypted, regardless
## <a href="" id="bkmk-addscons"></a>Active Directory Domain Services considerations
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting to enable backup of BitLocker recovery information:
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information:
Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services
Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker protected drives can be recovered.
By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/).

82
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -11,10 +11,10 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
ms.date: 04/17/2019
---
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
# Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
**Applies to:**
@ -25,17 +25,19 @@ Microsoft Intune has an easy way to create and deploy a Windows Information Prot
## Differences between MDM and MAM for WIP
You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences:
- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
- MAM supports only one user per device.
- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md)
- MAM has additional **Access** settings for Windows Hello for Business
- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device
- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses)
- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
- MAM has additional **Access** settings for Windows Hello for Business.
- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device.
- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
## Prerequisites
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD).
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
## Configure the MDM or MAM provider
@ -609,70 +611,6 @@ Optionally, if you dont want everyone in your organization to be able to shar
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
### Configure Windows Hello for Business for MAM
If you created a WIP policy for MAM, you can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices.
**To turn on and configure Windows Hello for Business**
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
2. Choose to turn on and configure the Windows Hello for Business settings:
![Microsoft Intune, Choose to use Windows Hello for Business](images/wip-azure-access-options.png)
- **Use Windows Hello for Business as a method for signing into Windows.** Turns on Windows Hello for Business. The options are:
- **On.** Turns on Windows Hello For Business for anyone assigned to this policy.
- **Off.** Turns off Windows Hello for Business.
- **Set the minimum number of characters required for the PIN.** Enter a numerical value (4-127 characters) for how many characters must be used to create a valid PIN. Default is 4 characters.
- **Configure the use of uppercase letters in the Windows Hello for Business PIN.** Lets you decide whether uppercase letters can be used in a valid PIN. The options are:
- **Allow the use of uppercase letters in PIN.** Lets an employee use uppercase letters in a valid PIN.
- **Require the use of at least one uppercase letter in PIN.** Requires an employee to use at least 1 uppercase letter in a valid PIN.
- **Do not allow the use of uppercase letters in PIN.** Prevents an employee from using uppercase letters in a valid PIN.
- **Configure the use of lowercase letters in the Windows Hello for Business PIN.** Lets you decide whether lowercase letters can be used in a valid PIN. The options are:
- **Allow the use of lowercase letters in PIN.** Lets an employee use lowercase letters in a valid PIN.
- **Require the use of at least one lowercase letter in PIN.** Requires an employee to use at least 1 lowercase letter in a valid PIN.
- **Do not allow the use of lowercase letters in PIN.** Prevents an employee from using lowercase letters in a valid PIN.
- **Configure the use of special characters in the Windows Hello for Business PIN.** Lets you decide whether special characters can be used in a valid PIN. The options are:
- **Allow the use of special characters in PIN.** Lets an employee use special characters in a valid PIN.
- **Require the use of at least one special character in PIN.** Requires an employee to use at least 1 special character in a valid PIN.
- **Do not allow the use of special characters in PIN.** Prevents an employee from using special characters in a valid PIN.
- **Specify the period of time (in days) that a PIN can be used before the system requires the user to change it.** Enter a numerical value (0-730 days) for how many days can pass before a PIN must be changed. If you enter a value of 0, the PIN never expires.
- **Specify the number of past PINs that can be associated to a user account that can't be reused.** Enter a numerical value (0-50 days) for how many days can pass before an employee can reuse a previous PIN. If you enter a value of 0, a PINs can be reused immediately and past PINs aren't stored.
>[!NOTE]
>PIN history is not preserved through a PIN reset.
- **Number of authentication failures allowed before the device will be wiped.** Enter a numerical value for how many times the PIN can be incorrectly entered before wiping the device of corporate data. If you enter a value of 0, the device is never wiped, regardless of the number of incorrect PIN entries.<p>This setting has different behavior for mobile devices and desktops.
- **On mobile devices.** When an employee reaches the value set here, the device is wiped of corporate data.
- **On desktop devices.** When an employee reaches the value set here, the desktop is put into BitLocker recovery mode, instead of being wiped. You must have BitLocker installed on the device or this setting is ignored.
- **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.** Enter a numerical value for how many days can pass before a PIN must be changed. If you enter a value of 0, the device never becomes PIN or password locked while idle.
>[!NOTE]
>You can set this value to be anything; however, it can't be longer than the time specified by the **Settings** app. If you exceed the maximum timeout value, this setting is ignored.
## Related topics
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)

2
windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
View File

@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
ms.date: 04/15/2019
---
# How Windows Information Protection (WIP) protects a file that has a sensitivity label

4
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -12,7 +12,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/10/2019
ms.date: 04/05/2019
ms.localizationpriority: medium
---
@ -125,7 +125,7 @@ This table provides info about the most common problems you might encounter whil
</td>
</tr>
<tr>
<td>By design, files in the Windows directory tree (%windir% or C:\Windows) cannot be encrypted because they need to be accessed by the system even when no user is signed in. If a file in the Windows directory gets encrypted by one user, the system and other users can't access it.
<td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it.
</td>
<td>Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
</td>

6
windows/security/threat-protection/TOC.md
View File

@ -345,6 +345,10 @@
###### [Threat protection reports](windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md)
###### [Machine health and compliance reports](windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md)
##### Interoperability
###### [Partner applications](windows-defender-atp/partner-applications.md)
##### Role-based access control
###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)
####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md)
@ -389,7 +393,7 @@
#####Rules
###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md)
###### [Manage automation allowed/blocked lists](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
###### [Manage allowed/blocked lists](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
###### [Manage indicators](windows-defender-atp/manage-indicators.md)
###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/auditing/event-4716.md
View File

@ -132,7 +132,7 @@ This event is generated only on domain controllers.
| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT |
| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |

101
windows/security/threat-protection/get-support-for-security-baselines.md Normal file
View File

@ -0,0 +1,101 @@
---
title: Get support
description: This article, and the articles it links to, answers frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: sagaudre
author: justinha
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/25/2018
---
# Get Support
**What is the Microsoft Security Compliance Manager (SCM)?**
The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/).
**Where can I get an older version of a Windows baseline?**
Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
- [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
**What file formats are supported by the new SCT?**
The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCMs .cab files are no longer supported.
**Does SCT support Desired State Configuration (DSC) file format?**
Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?**
No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.
<br />
## Version Matrix
**Client Versions**
| Name | Build | Baseline Release Date | Security Tools |
|---|---|---|---|
|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <p> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <p>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <p>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <p>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
<br />
**Server Versions**
| Name | Build | Baseline Release Date | Security Tools |
|---|---|---|---|
|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
<br />
**Microsoft Products**
| Name | Details | Security Tools |
|---|---|---|
Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
<br />
> [!NOTE]
> Browser baselines are built-in to new OS versions starting with Windows 10
## See also
[Windows security baselines](windows-security-baselines.md)

16
windows/security/threat-protection/index.md
View File

@ -14,9 +14,13 @@ ms.localizationpriority: medium
# Threat Protection
[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
>[!Note]
> The Windows Defender Security Center is currently going through rebranding. All references to Windows Defender will be replaced with Microsoft Defender. You will see the updates in the user interface and in the documentation library in next few months.
<center><h2>Windows Defender ATP</center></h2>
<table>
<tr>
<td><a href="#tvm"><center><img src="images/TVM_icon.png"> <br><b>Threat & Vulnerability Management</b></center></a></td>
<td><a href="#asr"><center><img src="images/ASR_icon.png"> <br><b>Attack surface reduction</b></center></a></td>
<td><center><a href="#ngp"><img src="images/NGP_icon.png"><br> <b>Next generation protection</b></a></center></td>
<td><center><a href="#edr"><img src="images/EDR_icon.png"><br> <b>Endpoint detection and response</b></a></center></td>
@ -25,15 +29,23 @@ ms.localizationpriority: medium
<td><center><a href="#mte"><img src="images/MTE_icon.png"><br> <b>Microsoft Threat Experts</b></a></center></td>
</tr>
<tr>
<td colspan="6">
<td colspan="7">
<a href="#apis"><center><b>Management and APIs</a></b></center></td>
</tr>
<tr>
<td colspan="6"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
</tr>
</table>
<br>
<a name="tvm"></a>
**[Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Risk-based Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [What's in the dashboard and what it means for my organization](windows-defender-atp/tvm-dashboard-insights.md)
- [Configuration score](windows-defender-atp/configuration-score.md)
- [Scenarios](windows-defender-atp/threat-and-vuln-mgt-scenarios.md)
<a name="asr"></a>

72
windows/security/threat-protection/security-compliance-toolkit-10.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Microsoft Security Compliance Toolkit 1.0
description: This article describes how to use the Security Compliance Toolkit in your organization
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: sagaudre
author: justinha
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/26/2018
---
# Microsoft Security Compliance Toolkit 1.0
## What is the Security Compliance Toolkit (SCT)?
The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
The SCT enables administrators to effectively manage their enterprises Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
<p></p>
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1709 (Fall Creators Update)
- Windows 10 Version 1703 (Creators Update)
- Windows 10 Version 1607 (Anniversary Update)
- Windows 10 Version 1511 (November Update)
- Windows 10 Version 1507
- Windows Server security baselines
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Microsoft Office security baseline
- Office 2016
- Tools
- Policy Analyzer tool
- Local Group Policy Object (LGPO) tool
You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/).
## What is the Policy Analyzer tool?
The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
- Highlight the differences between versions or sets of Group Policies
- Compare GPOs against current local policy and local registry settings
- Export results to a Microsoft Excel spreadsheet
Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Local Group Policy Object (LGPO) tool?
LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy.
Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems.
LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files.
It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).

4
windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
View File

@ -24,7 +24,7 @@ Describes the best practices, location, values, management, and security conside
## Reference
Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the users session locks by invoking the screen saver. This policy setting allows you to control the locking time by using Group Policy.
Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the users session locks by invoking the screen saver (screen saver should be active on the destination machine). This policy setting allows you to control the locking time by using Group Policy.
### Possible values
@ -40,6 +40,8 @@ Set the time for elapsed user-input inactivity based on the devices usage and
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options (While creating and linking group policy on server)
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.

3
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -14,7 +14,8 @@ ms.localizationpriority: medium
# Use Windows Event Forwarding to help with intrusion detection
**Applies to**
- Windows 10
- Windows 10
- Windows Server
Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.

3
windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
View File

@ -24,6 +24,9 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying
Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above.
>[!TIP]
>The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.

28
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
View File

@ -56,14 +56,11 @@ SIP is a built-in macOS security feature that prevents low-level tampering with
## Installation and configuration overview
There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
In general you'll need to take the following steps:
- [Register macOS devices](#register-macos-devices) with Windows Defender ATP
- Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools:
- [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
- [JAMF based deployment](#jamf-based-deployment)
- [Manual deployment](#manual-deployment)
## Deploy Microsoft Defender ATP for Mac
Use any of the supported methods to deploy Microsoft Defender ATP for Mac
- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal
- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
* [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
* [JAMF based deployment](#jamf-based-deployment)
* [Manual deployment](#manual-deployment)
## Microsoft Intune based deployment
@ -293,7 +290,6 @@ After some time, the machine's User Approved MDM status will change to Yes.
You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned.
### Deployment
Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected.
@ -329,7 +325,7 @@ Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
You can also check the onboarding status:
```
mavel-mojave:~ testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
@ -351,13 +347,13 @@ For example, this script removes Microsoft Defender ATP from the /Applications d
```
echo "Is WDAV installed?"
ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
echo "Uninstalling WDAV..."
rm -rf '/Applications/Microsoft Defender.app'
rm -rf '/Applications/Microsoft Defender ATP.app'
echo "Is WDAV still installed?"
ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
echo "Done!"
```
@ -374,7 +370,7 @@ Configure the appropriate scope in the **Scope** tab to specify the machines tha
You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
```
/Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
```
This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
@ -435,7 +431,7 @@ The installation will proceed.
The client machine is not associated with orgId. Note that the orgid is blank.
```
mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid :
```
@ -449,7 +445,7 @@ The installation will proceed.
3. Verify that the machine is now associated with orgId:
```
mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
```

4
windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
View File

@ -12,7 +12,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/10/2019
ms.date: 10/16/2017
---
# AppLocker
@ -92,7 +92,7 @@ AppLocker is included with enterprise-level editions of Windows. You can author
 
### Using AppLocker on Server Core
AppLocker on Server Core installations is not supported. This applies to all versions of Windows Server.
AppLocker on Server Core installations is not supported.
### Virtualization considerations

12
windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
View File

@ -12,7 +12,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/11/2019
ms.date: 09/21/2017
---
# Requirements to use AppLocker
@ -31,15 +31,14 @@ To use AppLocker, you need:
- For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
- Devices running a supported operating system to enforce the AppLocker rules that you create.
>[!NOTE]
>You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
>**Note:**  You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
 
## Operating system requirements
The following table shows AppLocker features supported by different versions of Windows.
The following table show the on which operating systems AppLocker features are supported.
| Version | Can be configured | Can be enforced | Available rules | Notes |
|---|---|---|---|---|
| - | - | - | - | - |
| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
| Windows Server 2016<br/>Windows Server 2012 R2<br/>Windows Server 2012| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
| Windows 8.1 Pro| Yes| No| N/A||
@ -56,7 +55,8 @@ The following table shows AppLocker features supported by different versions of
| Windows 7 Enterprise| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
| Windows 7 Professional| Yes| No| Executable<br/>Windows Installer<br/>Script<br/>DLL| No AppLocker rules are enforced.|
 
Previous versions of Windows can use Software Restriction Policies.
AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.
## See also
- [Administer AppLocker](administer-applocker.md)

2
windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
View File

@ -61,7 +61,7 @@ AppLocker uses path variables for well-known directories in Windows. Path variab
| Windows directory or drive | AppLocker path variable | Windows environment variable |
| - | - | - |
| Windows | %WINDIR% | %SystemRoot% |
| System32 | %SYSTEM32%| %SystemDirectory%|
| System32 and sysWOW64 | %SYSTEM32%| %SystemDirectory%|
| Windows installation directory | %OSDRIVE%|%SystemDrive%|
| Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%|
| Removable media (for example, CD or DVD) | %REMOVABLE%| |

2
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -60,6 +60,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Lee Christensen|@tifkin_|
|Vladas Bulavas | Kaspersky Lab |
|Lasse Trolle Borup | Langkjaer Cyber Defence |
|Jimmy Bayne | @bohops |
|Philip Tsukerman | @PhilipTsukerman |
<br />

34
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -1,6 +1,12 @@
# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
## [Overview](overview.md)
### [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md)
#### [Configuration score](configuration-score.md)
#### [Scenarios](threat-and-vuln-mgt-scenarios.md)
### [Attack surface reduction](overview-attack-surface-reduction.md)
#### [Hardware-based isolation](overview-hardware-based-isolation.md)
##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
@ -32,6 +38,7 @@
##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
#### Machines list
##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
@ -70,10 +77,11 @@
### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
### [Microsoft Threat Experts](microsoft-threat-experts.md)
### [Threat analytics](threat-analytics.md)
### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)
#### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
##### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
@ -81,23 +89,16 @@
#### [Custom detections](overview-custom-detections.md)
#####[Create custom detections rules](custom-detection-rules.md)
### [Management and APIs](management-apis.md)
#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
#### [Windows Defender ATP APIs](apis-intro.md)
#### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md)
### [Microsoft Threat Protection](threat-protection-integration.md)
#### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
#### [Information protection in Windows overview](information-protection-in-windows-overview.md)
### [Microsoft Threat Experts](microsoft-threat-experts.md)
### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
@ -212,6 +213,8 @@
### [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
### Management and API support
#### [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
@ -335,6 +338,10 @@
##### [Threat protection reports](threat-protection-reports-windows-defender-advanced-threat-protection.md)
##### [Machine health and compliance reports](machine-reports-windows-defender-advanced-threat-protection.md)
#### Interoperability
##### [Partner applications](partner-applications.md)
#### Role-based access control
##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
###### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md)
@ -343,11 +350,6 @@
#### [Configure managed security service provider (MSSP) support](configure-mssp-support-windows-defender-advanced-threat-protection.md)
### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
### Configure Microsoft Threat Protection integration
#### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md)
#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
@ -376,7 +378,7 @@
####Rules
##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
##### [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
##### [Manage indicators](manage-indicators.md)
##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
@ -385,8 +387,6 @@
##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
#### [Configure Windows Security app time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
## [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md)

3
windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
View File

@ -94,8 +94,7 @@ To receive contextual machine integration in Office 365 Threat Intelligence, you
This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it.
>[!NOTE]
>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
## Microsoft Cloud App Security

56
windows/security/threat-protection/windows-defender-atp/configuration-score.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Overview of Configuration score in Microsoft Defender Security Center
description: Expand your visibility into the overall security configuration posture of your organization
keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
---
# Configuration score
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease<73>information](prerelease.md)]
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as Configuration score. Well keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page.
The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices.
Your configuration score widget shows the collective security configuration state of your machines across the following categories:
- Application
- Operating system
- Network
- Accounts
- Security controls
## How it works
What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
- Collect and monitor changes of security control configuration state from all assets
From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks.
## Improve your configuration score
The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on:
- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
- **Remediation type** - **Configuration change** or **Software update**
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)

44
windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Configure Threat & Vulnerability Management in Windows Defender ATP
description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations.
keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM
search.product: Windows 10
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Configure Threat & Vulnerability Management
**Applies to:**
- [Windows Defender Advanced Threat Protection Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease<73>information](prerelease.md)]
This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation.
### Before you begin
>[!IMPORTANT]
Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices threat and vulnerability exposure data.</br>
Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM).
>[!WARNING]
>Only Intune and SCCM enrolled devices are supported in this scenario.</br>
>Use any of the following options to enroll devices in Intune:
>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)

2
windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMV
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro

4
windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -36,12 +36,12 @@ Information collected includes file data (such as file names, sizes, and hashes)
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
Microsoft uses this data to:
This data enables Windows Defender ATP to:
- Proactively identify indicators of attack (IOAs) in your organization
- Generate alerts if a possible attack was detected
- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
Microsoft does not use your data for advertising or for any other purpose other than providing you the service.
Microsoft does not use your data for advertising.
## Data protection and encryption
The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure.

2
windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
View File

@ -49,7 +49,7 @@ If the machine was offboarded it will still appear in machines list. After 7 day
If the machine is not sending any signals for more than 7 days to any of the Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive.
Do you expect a machine to be in Active status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
Do you expect a machine to be in Active status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
## Misconfigured machines
Misconfigured machines can further be classified to:

3
windows/security/threat-protection/windows-defender-atp/get-started.md
View File

@ -31,6 +31,9 @@ Learn about the minimum requirements and initial steps you need to take to get s
The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
**Threat & Vulnerability Management**<br>
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR) insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing threat resilience.
**Attack surface reduction**<br>
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 137 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 995 B

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.9 KiB

Some files were not shown because too many files have changed in this diff Show More