deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-20 09:17:25 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into App-v-revision

Browse Source
This commit is contained in:
Heidi Lohr 2018-07-11 15:19:29 -07:00
commit a8559ba1f3
20 changed files with 469 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
windows/client-management/mdm/TOC.md
View File

@ -320,4 +320,5 @@
#### [WindowsLicensing DDF file](windowslicensing-ddf-file.md) #### [WindowsLicensing DDF file](windowslicensing-ddf-file.md)
### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) ### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
#### [WindowsSecurityAuditing DDF file](windowssecurityauditing-ddf-file.md) #### [WindowsSecurityAuditing DDF file](windowssecurityauditing-ddf-file.md)
### [WiredNetwork CSP](wirednetwork-csp.md)
#### [WiredNetwork DDF file](wirednetwork-ddf-file.md)

31
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -30,6 +30,7 @@ Footnotes:
- 2 - Added in Windows 10, version 1703 - 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709 - 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803 - 4 - Added in Windows 10, version 1803
- 5 - Added in Windows 10, next major version
<!--StartCSPs--> <!--StartCSPs-->
<hr/> <hr/>
@ -2531,6 +2532,34 @@ Footnotes:
<!--EndSKU--> <!--EndSKU-->
<!--EndCSP--> <!--EndCSP-->
<!--StartCSP-->
[WiredNetwork CSP](wirednetwork-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP--> <!--StartCSP-->
[w7 APPLICATION CSP](w7-application-csp.md) [w7 APPLICATION CSP](w7-application-csp.md)
@ -2568,6 +2597,7 @@ Footnotes:
- 2 - Added in Windows 10, version 1703 - 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709 - 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803 - 4 - Added in Windows 10, version 1803
- 5 - Added in Windows 10, next major version
## CSP DDF files download ## CSP DDF files download
@ -2614,6 +2644,7 @@ The following list shows the configuration service providers supported in Window
- 2 - Added in Windows 10, version 1703 - 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709 - 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803 - 4 - Added in Windows 10, version 1803
- 5 - Added in Windows 10, next major version
## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub ## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub

BIN
windows/client-management/mdm/images/provisioning-csp-wifi.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-wirednetwork.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.8 KiB

8
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1638,6 +1638,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td style="vertical-align:top">[Wifi CSP](wifi-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node WifiCost.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)</td> <td style="vertical-align:top">[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)</td>
<td style="vertical-align:top"><p>Recent changes:</p> <td style="vertical-align:top"><p>Recent changes:</p>
<ul> <ul>
@ -1659,6 +1663,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Start/ImportEdgeAssets - added a table of SKU support information.</li> <li>Start/ImportEdgeAssets - added a table of SKU support information.</li>
</ul> </ul>
</td></tr> </td></tr>
<tr>
<td style="vertical-align:top">[WiredNetwork CSP](wirednetwork-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, next major version.
</td></tr>
</tbody> </tbody>
</table> </table>

15
windows/client-management/mdm/wifi-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: MariciaAlforque author: MariciaAlforque
ms.date: 04/16/2018 ms.date: 06/28/2018
--- ---
# WiFi CSP # WiFi CSP
@ -59,8 +59,6 @@ If it exists in the blob, the **keyType** and **protected** elements must come b
> **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=618963). > **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=618963).
 
The supported operations are Add, Get, Delete, and Replace. The supported operations are Add, Get, Delete, and Replace.
<a href="" id="proxy"></a>**Proxy** <a href="" id="proxy"></a>**Proxy**
@ -96,6 +94,17 @@ Added in Windows 10, version 1607. Optional. When set to true it enables Web Pr
Value type is bool. Value type is bool.
<a href="" id="wificost"></a>**WiFiCost**
Added in Windows 10, next major version. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted.
Supported values:
- 1 - Unrestricted - unlimited connection
- 2 - Fixed - capacity constraints up to a certain data limit
- 3 - Variable - paid on per byte basic
Supported operations are Add, Get, Replace and Delete. Value type is integer.
## Examples ## Examples

187
windows/client-management/mdm/wifi-ddf-file.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: MariciaAlforque author: MariciaAlforque
ms.date: 06/26/2017 ms.date: 06/28/2018
--- ---
# WiFi DDF file # WiFi DDF file
@ -15,7 +15,190 @@ ms.date: 06/26/2017
This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML. This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Content under development and will be published soon. The XML below is for Windows 10, next major version.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[
<?oma-dm-ddf-ver supported-versions="1.2"?>
]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>WiFi</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/WiFi</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Profile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The Profile name of the Wi-Fi network. This is added when WlanXML node is added and deleted when Wlanxml is deleted.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>SSID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>WlanXml</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>
XML describing the network configuration and follows Windows WLAN_profile schema.
Link to schema: http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Proxy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Optional node. The format is url:port. Configuration of the network proxy (if any).</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProxyPacUrl</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Optional node. URL to the PAC file location.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProxyWPAD</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Optional node: The presence of the field enables WPAD for proxy lookup.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics ## Related topics

34
windows/client-management/mdm/wirednetwork-csp.md Normal file
View File

@ -0,0 +1,34 @@
---
title: WiredNetwork CSP
description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet.
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 06/27/2018
---
# WiredNetwork CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, next major version.
The following diagram shows the WiredNetwork configuration service provider in tree format.
![WiredNetwork CSP diagram](images/provisioning-csp-wirednetwork.png)
<a href="" id="wirednetwork"></a>**./Device/Vendor/MSFT/WiredNetwork**
Root node.
<a href="" id="lanxml"></a>**LanXML**
Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
<a href="" id="enableblockperiod"></a>**EnableBlockPeriod**
Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.

167
windows/client-management/mdm/wirednetwork-ddf-file.md Normal file
View File

@ -0,0 +1,167 @@
---
title: WiredNetwork DDF file
description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider.
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 06/28/2018
---
# WiredNetwork DDF file
This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. This CSP was added in Windows 10, version 1511.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>WiredNetwork</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>LanXML</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnableBlockPeriod</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description> Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>WiredNetwork</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>LanXML</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnableBlockPeriod</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description> Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

11
windows/deployment/update/waas-deployment-rings-windows-10-updates.md
View File

@ -4,10 +4,10 @@ description: Deployment rings in Windows 10 are similar to the deployment groups
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: manage ms.mktglfcycl: manage
ms.sitesec: library ms.sitesec: library
author: DaniHalfin author: jaimeo
ms.localizationpriority: medium ms.localizationpriority: medium
ms.author: daniha ms.author: jaimeo
ms.date: 07/27/2017 ms.date: 07/11/2018
--- ---
# Build deployment rings for Windows 10 updates # Build deployment rings for Windows 10 updates
@ -38,9 +38,7 @@ Table 1 provides an example of the deployment rings you might use.
| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization | | Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization |
>[!NOTE] >[!NOTE]
>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC servicing channel does not receive feature updates. >In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates.
>
>Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insider devices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
@ -66,6 +64,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is
- [Configure Windows Update for Business](waas-configure-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md) - [Manage device restarts after updates](waas-restart.md)

5
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy ms.pagetype: deploy
author: jaimeo author: jaimeo
ms.author: jaimeo ms.author: jaimeo
ms.date: 07/02/2018 ms.date: 07/11/2018
ms.localizationpriority: high ms.localizationpriority: high
--- ---
@ -229,3 +229,6 @@ System Center Configuration Manager (SCCM) considers a device ready to upgrade i
Currently, you can choose the criteria you wish to use: Currently, you can choose the criteria you wish to use:
- To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). - To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector).
- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. - To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet.
### How does Upgrade Readiness collect the inventory of devices and applications?
For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog.

4
windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: brianlic-msft author: brianlic-msft
ms.date: 05/03/2018 ms.date: 07/10/2018
--- ---
# BitLocker To Go FAQ # BitLocker To Go FAQ
@ -20,3 +20,5 @@ ms.date: 05/03/2018
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel.

8
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: brianlic-msft author: brianlic-msft
ms.date: 05/03/2018 ms.date: 07/10/2018
--- ---
# Using BitLocker with other programs FAQ # Using BitLocker with other programs FAQ
@ -89,11 +89,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run. BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
- With TPM - Yes it is supported - With TPM - Yes it is supported
- Without TPM - Yes it is supported (with password ) protector - Without TPM - Yes it is supported (with password protector)
BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
## Can I use BitLocker with virtual machines (VMs)? ## Can I use BitLocker with virtual machines (VMs)?
Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.

5
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -41,10 +41,7 @@ The recovery process included in this topic only works for desktop devices. WIP
>[!Important] >[!Important]
>Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md).
>[!Note]
>To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
## Verify your data recovery certificate is correctly set up on a WIP client computer ## Verify your data recovery certificate is correctly set up on a WIP client computer

14
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
author: justinha author: justinha
ms.author: justinha ms.author: justinha
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 05/30/2018 ms.date: 07/10/2018
--- ---
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@ -379,7 +379,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
1. From the **App policy** blade, click the name of your policy, and then click **Required settings**. 1. From the **App policy** blade, click the name of your policy, and then click **Required settings**.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area. 2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. If you need to add domains, for example your email domains, you can do it in the **Advanced settings** area.
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
@ -487,7 +487,7 @@ After you've decided where your protected apps can access enterprise data on you
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
- **On (recommended).** Turns on the feature and provides the additional protection. - **On.** Turns on the feature and provides the additional protection.
- **Off, or not configured.** Doesn't enable this feature. - **Off, or not configured.** Doesn't enable this feature.
@ -497,7 +497,7 @@ After you've decided where your protected apps can access enterprise data on you
- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if youre migrating between Mobile Device Management (MDM) solutions. - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if youre migrating between Mobile Device Management (MDM) solutions.
- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
@ -509,6 +509,12 @@ After you've decided where your protected apps can access enterprise data on you
- **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP.
- **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.
- **On.** Starts Windows Search Indexer to index encrypted files.
- **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files.
## Choose to set up Azure Rights Management with WIP ## Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.7 KiB

After

Width:  |  Height:  |  Size: 4.6 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 37 KiB

After

Width:  |  Height:  |  Size: 25 KiB

2
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -78,7 +78,7 @@ For October 2017, we are announcing an update to system.management.automation.dl
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
``` ```xml
<?xml version="1.0" encoding="utf-8" ?> <?xml version="1.0" encoding="utf-8" ?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx> <VersionEx>10.0.0.0</VersionEx>