From 8542a813eb19ab643afb30b02b210f987e3cde5d Mon Sep 17 00:00:00 2001 From: mapalko Date: Thu, 2 Apr 2020 16:50:27 -0700 Subject: [PATCH 01/39] updates to WHFB PIN policy documentation --- .../hello-manage-in-organization.md | 124 +++++++++++++++--- 1 file changed, 104 insertions(+), 20 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index c9213a887f..8767eadd0d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -15,7 +15,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 10/18/2017 +ms.date: 4/2/2020 --- # Manage Windows Hello for Business in your organization @@ -34,21 +34,23 @@ You can create a Group Policy or mobile device management (MDM) policy that will ## Group Policy settings for Windows Hello for Business -The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. +The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. > [!NOTE] > Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**. - + + + @@ -56,15 +58,37 @@ The following table lists the Group Policy settings that you can configure for W + + + + + + + + + + + + + + + + + + + + + - - + +<
PolicyScope Options
Use Windows Hello for Business Computer or user -

Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

+

Not configured: Device does not provision Windows Hello for Business for any user.

Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

Disabled: Device does not provision Windows Hello for Business for any user.

Use a hardware security device Computer

Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

-

Enabled: Windows Hello for Business will only be provisioned using TPM.

+

Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.

Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Use certificate for on-premises authenticationComputer or user +

Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication.

+

Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.

+

Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.

+
Use PIN recoveryComputer +

Added in Windows 10, version 1703

+

Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+

Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

+

Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+
Use biometrics Computer

Not configured: Biometrics can be used as a gesture in place of a PIN.

Enabled: Biometrics can be used as a gesture in place of a PIN.

@@ -74,6 +98,7 @@ The following table lists the Group Policy settings that you can configure for W
PIN Complexity Require digitsComputer

Not configured: Users must include a digit in their PIN.

Enabled: Users must include a digit in their PIN.

@@ -82,6 +107,7 @@ The following table lists the Group Policy settings that you can configure for W
Require lowercase lettersComputer

Not configured: Users cannot use lowercase letters in their PIN.

Enabled: Users must include at least one lowercase letter in their PIN.

@@ -90,6 +116,7 @@ The following table lists the Group Policy settings that you can configure for W
Maximum PIN lengthComputer

Not configured: PIN length must be less than or equal to 127.

Enabled: PIN length must be less than or equal to the number you specify.

@@ -98,6 +125,7 @@ The following table lists the Group Policy settings that you can configure for W
Minimum PIN lengthComputer

Not configured: PIN length must be greater than or equal to 4.

Enabled: PIN length must be greater than or equal to the number you specify.

@@ -106,6 +134,7 @@ The following table lists the Group Policy settings that you can configure for W
ExpirationComputer

Not configured: PIN does not expire.

Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.

@@ -114,6 +143,7 @@ The following table lists the Group Policy settings that you can configure for W
HistoryComputer

Not configured: Previous PINs are not stored.

Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.

@@ -124,6 +154,7 @@ The following table lists the Group Policy settings that you can configure for W
Require special charactersComputer

Not configured: Users cannot include a special character in their PIN.

Enabled: Users must include at least one special character in their PIN.

@@ -132,6 +163,7 @@ The following table lists the Group Policy settings that you can configure for W
Require uppercase lettersComputer

Not configured: Users cannot include an uppercase letter in their PIN.

Enabled: Users must include at least one uppercase letter in their PIN.

@@ -139,9 +171,9 @@ The following table lists the Group Policy settings that you can configure for W
>Phone Sign-in -

Use Phone Sign-in

+		Phone Sign-inUse Phone Sign-inComputer

Not currently supported.

@@ -154,7 +186,7 @@ The following table lists the Group Policy settings that you can configure for W The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070). >[!IMPORTANT] ->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. +>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. @@ -166,7 +198,7 @@ The following table lists the MDM policy settings that you can configure for Win - + - + + + + + + + + + + + + + + + @@ -261,7 +315,7 @@ The following table lists the MDM policy settings that you can configure for Win @@ -297,20 +351,50 @@ The following table lists the MDM policy settings that you can configure for Win
UsePassportForWork DeviceDevice or user True

True: Windows Hello for Business will be provisioned for all users on the device.

@@ -178,7 +210,7 @@ The following table lists the MDM policy settings that you can configure for Win
RequireSecurityDevice DeviceDevice or user False

True: Windows Hello for Business will only be provisioned using TPM.

@@ -186,6 +218,28 @@ The following table lists the MDM policy settings that you can configure for Win
Exclude Security DeviceTPM12DeviceFalse +

Added in Windows 10, version 1703

+

True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.

+

False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.

+
EnablePinRecoveryDevice or userFalse +

Added in Windows 10, version 1703

+

True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

+

False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+
Biometrics

UseBiometrics

@@ -252,7 +306,7 @@ The following table lists the MDM policy settings that you can configure for Win 		Device or user 0 -

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. +

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.

Device or user 0 -

Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. +

Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.

>[!NOTE] -> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN. +> InWindows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN. +## Policy conflicts from multiple policy sources + +Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. + +Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source. + +Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis. + +>Examples +> +>The following are configured using computer Group Policy: +> +>- Use Windows Hello for Business - Enabled +>- User certificate for on-premises authentication - Enabled +>- Require digits - Enabled +>- Minimum PIN length - 6 +> +>The following are configured using device MDM Policy: +> +>- UsePassportForWork - Disabled +>- UseCertificateForOnPremAuth - Disabled +>- MinimumPINLength - 8 +>- Digits - 1 +>- LowercaseLetters - 1 +>- SpecialCharacters - 1 +> +>Enforced policy set: +> +>- Use Windows Hello for Business - Enabled +>- Use certificate for on-premises authentication - Enabled +>- Require digits - Enabled +>- Minimum PIN length - 6 ## How to use Windows Hello for Business with Azure Active Directory -There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: +There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: -- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. -- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. +- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. +- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. - **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device. -If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. - - +If you want to use Windows Hello for Business with certificates, you'll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. ## Related topics From 6ff5a3b14fff6000e027ee1367616f8424aefd13 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 13 Apr 2020 07:48:09 +0500 Subject: [PATCH 02/39] Update hello-feature-pin-reset.md --- .../hello-for-business/hello-feature-pin-reset.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 0b01799ab2..bafa944498 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -43,18 +43,19 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se ### Connect Azure Active Directory with the PIN reset service -1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant. +1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 2. After you log in, click **Accept** to give consent for the PIN reset service to access your account. ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) -3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant. +3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 4. After you log in, click **Accept** to give consent for the PIN reset client to access your account. + +> [!NOTE] +> After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant. + ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) ->[!NOTE] ->After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant. - ### Configure Windows devices to use PIN reset using Group Policy You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. @@ -70,7 +71,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 #### Create a PIN Reset Device configuration profile using Microsoft Intune -1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. +1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account. 2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
``` @@ -86,7 +87,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 #### Assign the PIN Reset Device configuration profile using Microsoft Intune -1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. +1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account. 2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration. 3. In the device configuration profile, click **Assignments**. 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. From 3eb8b1dc5ac1ddf29d5ed63e9d5e730f7c68847e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 Apr 2020 16:54:02 +0500 Subject: [PATCH 03/39] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index bafa944498..b5cb6203e0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -44,7 +44,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se ### Connect Azure Active Directory with the PIN reset service 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. -2. After you log in, click **Accept** to give consent for the PIN reset service to access your account. +2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) 3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 4. After you log in, click **Accept** to give consent for the PIN reset client to access your account. From 3c0c024c27c44b572bef3ea80f7688a6fef623d6 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 Apr 2020 16:54:11 +0500 Subject: [PATCH 04/39] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index b5cb6203e0..6ce49e5f4d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -47,7 +47,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se 2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) 3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. -4. After you log in, click **Accept** to give consent for the PIN reset client to access your account. +4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. > [!NOTE] > After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant. From d211a61451a10d2ffa64a05abda1f8381154a34a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 Apr 2020 16:54:21 +0500 Subject: [PATCH 05/39] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 6ce49e5f4d..2e883b4615 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -50,7 +50,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se 4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. > [!NOTE] -> After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant. +> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. From 7c7e82f220c04ae50557338fac8a1a58a4b18ee2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 Apr 2020 16:54:31 +0500 Subject: [PATCH 06/39] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 2e883b4615..fbfd7364b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -53,6 +53,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) + 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) From 2fdfd135a63923807bd712d3f7c510f82a31f72d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 Apr 2020 16:54:59 +0500 Subject: [PATCH 07/39] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index fbfd7364b8..571417baa2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -73,7 +73,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 #### Create a PIN Reset Device configuration profile using Microsoft Intune 1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account. -2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
+2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.
``` dsregcmd /status | findstr -snip "tenantid" From 21018f240e1d84cc8149350228345ecd51a3d1e5 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 Apr 2020 16:55:11 +0500 Subject: [PATCH 08/39] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 571417baa2..861ad26756 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -88,7 +88,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 #### Assign the PIN Reset Device configuration profile using Microsoft Intune -1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account. +1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. 2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration. 3. In the device configuration profile, click **Assignments**. 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. From 01ea39518a228d7971f4f48ed26b0cb5bc49d5b7 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 Apr 2020 16:55:21 +0500 Subject: [PATCH 09/39] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 861ad26756..1b4d731ff0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -89,7 +89,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 #### Assign the PIN Reset Device configuration profile using Microsoft Intune 1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. -2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration. +2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. 3. In the device configuration profile, click **Assignments**. 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. From 86d52111306692ed8771f378a6158dc1c7f587d4 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 Apr 2020 16:55:32 +0500 Subject: [PATCH 10/39] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 1b4d731ff0..33a9c450e1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -90,7 +90,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. 2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. -3. In the device configuration profile, click **Assignments**. +3. In the device configuration profile, select **Assignments**. 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. ## On-premises Deployments From 150ca08574ae889962693682d7b684e757d9c77f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 Apr 2020 17:55:00 +0500 Subject: [PATCH 11/39] Update hello-hybrid-aadj-sso-cert.md --- .../hello-hybrid-aadj-sso-cert.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 54f37c9b50..0aa1e47937 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -644,28 +644,28 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Select **Device Configuration**, and then click **Profiles**. 4. Select **Create Profile**. ![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png) -5. Next to **Name**, type **WHFB Certificate Enrollment**. -6. Next to **Description**, provide a description meaningful for your environment. -7. Select **Windows 10 and later** from the **Platform** list. -8. Select **SCEP certificate** from the **Profile** list. - ![WHFB Scep Profile Blade](images/aadjcert/intunewhfbscepprofile-00.png) -9. The **SCEP Certificate** blade should open. Configure **Certificate validity period** to match your organization. +5. Select **Windows 10 and later** from the **Platform** list. +6. Choose **SCEP certificate** from the **Profile** list, and select **Create**. +7. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. +8. Next to **Description**, provide a description meaningful for your environment, then select **Next**. +9. Select **User** as a certificate type. +10. Configure **Certificate validity period** to match your organization. > [!IMPORTANT] > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. -10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. -11. Select **Custom** from the **Subject name format** list. -12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. -13. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value. -14. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. -15. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. +11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. +12. Select **Custom** from the **Subject name format** list. +13. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. +14. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value. +15. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. +16. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png) -16. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. -17. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. +17. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. +18. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) -18. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. -19. Click **OK**. -20. Click **Create**. +19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. +20. Click **Next**. +21. Click **Next** two more times to skip **Scope tags** and **Assignments** steps of the wizard and click **Create**. ### Assign Group to the WHFB Certificate Enrollment Certificate Profile Sign-in a workstation with access equivalent to a _domain user_. From ba64f0e083002d642abfa126d0c9ae5e05dc8631 Mon Sep 17 00:00:00 2001 From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com> Date: Tue, 14 Apr 2020 06:59:51 -0700 Subject: [PATCH 12/39] Fixed Warning line 43 > string --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 03b72907ac..eadc81def6 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -40,7 +40,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] >Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release. >[!Warning] ->If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline >settings. +>If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) From fad867331a5379c4299ec858a52f51778364783c Mon Sep 17 00:00:00 2001 From: illfated Date: Tue, 14 Apr 2020 23:06:36 +0200 Subject: [PATCH 13/39] chore: Whitespace consistency & MD compatibility Description: - follow-up to my previous PR #6060 (chore: MarkDown Note marker compatibility spacing) Main directory: /browsers/ This is a follow-up attempt to standardize the MarkDown Note bubbles by adding the recommended single space after the quote marker. MarkDown codestyle & whitespace usage consistency is the main goal here. Additional proposed changes: - Remove redundant end-of-line (EOL) whitespace - Simplify blank space usage in bullet point lists/numbered lists to 1 - Replace some tab characters with 4 blank spaces (GitHub compatibility) - Reduce redundant blank line whitespace usage: - remove excessive blank lines between sections - remove surplus blank lines in minimal bullet point lists File-specific improvement change: browsers/edge/microsoft-edge-kiosk-mode-deploy.md - Add back missing table readability spacing and cell dividers. Ticket reference or closure: None that I know of (at least not yet). Additional notes: - I have split this modification chore into sub-folder sections to keep the number of files within a reasonably manageable amount. - Some of the whitespace changes could not be applied due to layout. --- browsers/edge/about-microsoft-edge.md | 10 +- .../group-policies/favorites-management-gp.md | 24 ++-- ...interoperability-enterprise-guidance-gp.md | 20 ++-- .../includes/configure-home-button-include.md | 21 ++-- .../configure-open-edge-with-include.md | 16 +-- .../includes/provision-favorites-include.md | 12 +- .../send-all-intranet-sites-ie-include.md | 18 +-- .../edge/microsoft-edge-kiosk-mode-deploy.md | 64 +++++------ browsers/edge/web-app-compat-toolkit.md | 16 +-- ...e-change-request-enterprise-mode-portal.md | 24 ++-- .../enterprise-mode-features-include.md | 7 +- ...-changes-preprod-enterprise-mode-portal.md | 18 +-- ...e-enterprise-mode-site-list-mgr-include.md | 6 +- ...eroperability-goals-enterprise-guidance.md | 5 +- ...e-change-request-enterprise-mode-portal.md | 25 ++-- ...-changes-preprod-enterprise-mode-portal.md | 18 +-- .../what-is-enterprise-mode.md | 20 ++-- .../ie11-faq/faq-ie11-blocker-toolkit.md | 108 +++++++++--------- browsers/internet-explorer/ie11-ieak/index.md | 8 +- .../licensing-version-and-features-ieak11.md | 14 +-- 20 files changed, 222 insertions(+), 232 deletions(-) diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md index 5cd357aea7..e2453e5990 100644 --- a/browsers/edge/about-microsoft-edge.md +++ b/browsers/edge/about-microsoft-edge.md @@ -2,7 +2,7 @@ title: Microsoft Edge system and language requirements description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.author: dansimp @@ -17,7 +17,7 @@ ms.date: 10/02/2018 --- # Microsoft Edge system and language requirements ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile +> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). @@ -25,8 +25,8 @@ ms.date: 10/02/2018 Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. ->[!IMPORTANT] ->The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. +> [!IMPORTANT] +> The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. ## Minimum system requirements @@ -49,7 +49,7 @@ Some of the components might also need additional system resources. Check the co ## Supported languages -Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. +Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md index 9a022da181..c8584e28f5 100644 --- a/browsers/edge/group-policies/favorites-management-gp.md +++ b/browsers/edge/group-policies/favorites-management-gp.md @@ -1,43 +1,43 @@ --- title: Microsoft Edge - Favorites group policies description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. -services: -keywords: +services: +keywords: ms.localizationpriority: medium audience: itpro manager: dansimp author: dansimp ms.author: dansimp ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Favorites +# Favorites > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. +You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. ->[!TIP] ->You can find the Favorites under C:\\Users\\<_username_>\\Favorites. +> [!TIP] +> You can find the Favorites under C:\\Users\\<_username_>\\Favorites. You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:       **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** -## Configure Favorites Bar +## Configure Favorites Bar [!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] -## Keep favorites in sync between Internet Explorer and Microsoft Edge -[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] +## Keep favorites in sync between Internet Explorer and Microsoft Edge +[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] ## Prevent changes to Favorites on Microsoft Edge -[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] +[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] -## Provision Favorites +## Provision Favorites [!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md index f1a0929bb3..bd34273cc4 100644 --- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -7,7 +7,7 @@ manager: dansimp ms.author: dansimp author: dansimp ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library @@ -21,11 +21,10 @@ ms.topic: reference Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. ->[!TIP] ->If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. - -**Technology not supported by Microsoft Edge** +> [!TIP] +> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. +**Technology not supported by Microsoft Edge** - ActiveX controls @@ -39,20 +38,19 @@ Microsoft Edge is the default browser experience for Windows 10 and Windows 10 M - Legacy document modes -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. ## Relevant group policies +1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) -1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) +2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) -2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) +3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) -3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) - -4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) +4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md index 3082d3014b..24d2cadb77 100644 --- a/browsers/edge/includes/configure-home-button-include.md +++ b/browsers/edge/includes/configure-home-button-include.md @@ -2,15 +2,15 @@ author: eavena ms.author: eravena ms.date: 10/28/2018 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.prod: edge ms.topic: include --- - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Show home button and load the Start page)* + +> *Supported versions: Microsoft Edge on Windows 10, version 1809*
+> *Default setting: Disabled or not configured (Show home button and load the Start page)* [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] @@ -28,9 +28,8 @@ ms.topic: include --- ->[!TIP] ->If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
- +> [!TIP] +> If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
### ADMX info and settings #### ADMX info @@ -43,19 +42,17 @@ ms.topic: include #### MDM settings - **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) - **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton - **Data type:** Integer #### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings - **Value name:** ConfigureHomeButton - **Value type:** REG_DWORD ### Related policies - [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - -- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md index a86cf568ce..ab0140e30c 100644 --- a/browsers/edge/includes/configure-open-edge-with-include.md +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -2,7 +2,7 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.prod: edge ms.topic: include @@ -10,8 +10,8 @@ ms.topic: include ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled (A specific page or pages)* +> *Supported versions: Microsoft Edge on Windows 10, version 1809*
+> *Default setting: Enabled (A specific page or pages)* [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] @@ -31,10 +31,8 @@ ms.topic: include --- - ->[!TIP] ->If you want to make changes to this policy:
  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
- +> [!TIP] +> If you want to make changes to this policy:
  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
### ADMX info and settings @@ -58,11 +56,7 @@ ms.topic: include ### Related policies - [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - - [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - - - --- diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index fdb0016715..5ec37da07a 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -2,21 +2,21 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.prod: edge ms.topic: include --- ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Customizable)* +> *Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+> *Default setting: Disabled or not configured (Customizable)* [!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] ->[!IMPORTANT] ->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. +> [!IMPORTANT] +> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. ### Supported values @@ -38,7 +38,7 @@ ms.topic: include #### MDM settings - **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) - **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites - **Data type:** String #### Registry settings diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index 2d8195f03e..b59221443f 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -2,20 +2,20 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.prod: edge ms.topic: include --- ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured* +> *Supported versions: Microsoft Edge on Windows 10*
+> *Default setting: Disabled or not configured* -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] ->[!TIP] ->Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. +> [!TIP] +> Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. ### Supported values @@ -30,7 +30,7 @@ ms.topic: include ### ADMX info and settings #### ADMX info -- **GP English name:** Send all intranet sites to Internet Explorer 11 +- **GP English name:** Send all intranet sites to Internet Explorer 11 - **GP name:** SendIntranetTraffictoInternetExplorer - **GP path:** Windows Components/Microsoft Edge - **GP ADMX file name:** MicrosoftEdge.admx @@ -38,7 +38,7 @@ ms.topic: include #### MDM settings - **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) - **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer - **Data type:** Integer #### Registry settings @@ -53,7 +53,7 @@ ms.topic: include ### Related topics -- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. - [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index c4141688d8..8249262926 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -1,8 +1,8 @@ --- title: Deploy Microsoft Edge Legacy kiosk mode description: Microsoft Edge Legacy kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge Legacy kiosk mode, you must configure Microsoft Edge Legacy as an application in assigned access. -ms.assetid: -ms.reviewer: +ms.assetid: +ms.reviewer: audience: itpro manager: dansimp author: dansimp @@ -16,28 +16,28 @@ ms.date: 01/17/2020 # Deploy Microsoft Edge Legacy kiosk mode ->Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later ->Professional, Enterprise, and Education +> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later +> Professional, Enterprise, and Education > [!NOTE] > You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode). In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode. -In this topic, you'll learn: +In this topic, you'll learn: - How to configure the behavior of Microsoft Edge Legacy when it's running in kiosk mode with assigned access. -- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices. -- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service. +- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices. +- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service. -At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. +At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. ## Kiosk mode configuration types ->**Policy** = Configure kiosk mode (ConfigureKioskMode) +> **Policy** = Configure kiosk mode (ConfigureKioskMode) -Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. +Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. - Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image) @@ -50,9 +50,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend ### Important things to note before getting started -- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device. +- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device. -- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks. +- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks. - Microsoft Edge Legacy kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge Legacy resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own. @@ -67,7 +67,7 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3). -### Supported configuration types +### Supported configuration types [!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)] @@ -75,9 +75,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge Legacy kiosk mode: -- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. +- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. -- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). +- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). ### Prerequisites @@ -89,14 +89,14 @@ Now that you're familiar with the different kiosk mode configurations and have t - URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page. - _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge Legacy: - + ``` Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge ``` ### Setup required for Microsoft Edge Legacy kiosk mode -When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge. +When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge. To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take one of the following actions: @@ -104,11 +104,11 @@ To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take on - To prevent Microsoft Edge Stable channel from being installed on your kiosk devices deploy the Microsoft Edge [Allow installation default](https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies#installdefault) policy for Stable channel or consider using the [Blocker toolkit](https://docs.microsoft.com/DeployEdge/microsoft-edge-blocker-toolkit) to disable automatic delivery of Microsoft Edge. > [!NOTE] -> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge). +> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge). ### Use Windows Settings -Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. +Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. 1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**. @@ -120,9 +120,9 @@ Windows Settings is the simplest and the only way to set up one or a couple of s 5. Select how Microsoft Edge Legacy displays when running in kiosk mode: - - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data. + - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data. - - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data. + - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data. 6. Select **Next**. @@ -136,23 +136,23 @@ Windows Settings is the simplest and the only way to set up one or a couple of s 11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration. -**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device using Windows Settings. +**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device using Windows Settings. -**_What's next?_** +**_What's next?_** - User your new kiosk device.

OR

- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge Legacy**. ---- +--- ### Use Microsoft Intune or other MDM service With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge Legacy kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add). ->[!IMPORTANT] ->If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. +> [!IMPORTANT] +> If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. 1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. @@ -166,7 +166,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

  • **0 (default)** - Not configured. Show home button, and load the default Start page.
  • **1** - Enabled. Show home button and load New Tab page
  • **2** - Enabled. Show home button & set a specific page.
  • **3** - Enabled. Hide the home button.
| | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - + **_Congratulations!_**

You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service. @@ -177,7 +177,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur ## Supported policies for kiosk mode -Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). +Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). Make sure to check with your provider for instructions. @@ -251,18 +251,18 @@ Make sure to check with your provider for instructions.        ![Not supported](images/148766.png) = Not applicable or not supported
       ![Supported](images/148767.png) = Supported ---- +--- ## Feature comparison of kiosk mode and kiosk browser app In the following table, we show you the features available in both Microsoft Edge Legacy kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. -| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** | +| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** | |-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:| | Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | | Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Allow/Block URL support | ![Not Supported](images/148766.png) ![Supported](images/148767.png) | +| Allow/Block URL support | ![Not Supported](images/148766.png) | ![Supported](images/148767.png) | | Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | | Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | @@ -280,6 +280,6 @@ To prevent access to unwanted websites on your kiosk device, use Windows Defende ## Provide feedback or get support -To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. +To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. **_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. diff --git a/browsers/edge/web-app-compat-toolkit.md b/browsers/edge/web-app-compat-toolkit.md index 8ec157e607..00e7a02d51 100644 --- a/browsers/edge/web-app-compat-toolkit.md +++ b/browsers/edge/web-app-compat-toolkit.md @@ -1,6 +1,6 @@ --- title: Web Application Compatibility lab kit -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp description: Learn how to use the web application compatibility toolkit for Microsoft Edge. @@ -14,7 +14,7 @@ ms.localizationpriority: high # Web Application Compatibility lab kit ->Updated: October, 2017 +> Updated: October, 2017 Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility. @@ -22,7 +22,7 @@ The Web Application Compatibility Lab Kit is a primer for the features and techn The Web Application Compatibility Lab Kit includes: -- A pre-configured Windows 7 and Windows 10 virtual lab environment with: +- A pre-configured Windows 7 and Windows 10 virtual lab environment with: - Windows 7 Enterprise Evaluation - Windows 10 Enterprise Evaluation (version 1607) - Enterprise Mode Site List Manager @@ -36,10 +36,10 @@ Depending on your environment, your web apps may "just work” using the methods There are two versions of the lab kit available: -- Full version (8 GB) - includes a complete virtual lab environment +- Full version (8 GB) - includes a complete virtual lab environment - Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system -The Web Application Compatibility Lab Kit is also available in the following languages: +The Web Application Compatibility Lab Kit is also available in the following languages: - Chinese (Simplified) - Chinese (Traditional) @@ -48,11 +48,11 @@ The Web Application Compatibility Lab Kit is also available in the following lan - Italian - Japanese - Korean -- Portuguese (Brazil) +- Portuguese (Brazil) - Russian - Spanish [DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab) ->[!TIP] ->Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. +> [!TIP] +> Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md index cbfc5f11b5..8f33595d7e 100644 --- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp --- @@ -17,16 +17,16 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. ->[!Important] ->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. **To create a new change request** 1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. @@ -36,7 +36,7 @@ Employees assigned to the Requester role can create a change request. A change r 2. Fill out the required fields, based on the group and the app, including: - **Group name.** Select the name of your group from the dropdown box. - + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. @@ -58,15 +58,15 @@ Employees assigned to the Requester role can create a change request. A change r - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). - + 4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. - + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. 5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. - + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. ## Next steps diff --git a/browsers/enterprise-mode/enterprise-mode-features-include.md b/browsers/enterprise-mode/enterprise-mode-features-include.md index 8090fc9ba8..9da0e79778 100644 --- a/browsers/enterprise-mode/enterprise-mode-features-include.md +++ b/browsers/enterprise-mode/enterprise-mode-features-include.md @@ -1,4 +1,5 @@ ### Enterprise Mode features + Enterprise Mode includes the following features: - **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. @@ -8,9 +9,9 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso - **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. - >[!Important] - >All centrally-made decisions override any locally-made choices. + > [!Important] + > All centrally-made decisions override any locally-made choices. - **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. -- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. \ No newline at end of file +- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md index a72f720a3f..3e06b8b806 100644 --- a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp --- @@ -17,18 +17,18 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) ->[!Important] ->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: -- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. - **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md index 22464cc569..0b86c29226 100644 --- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -2,7 +2,7 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.prod: edge ms.topic: include @@ -10,8 +10,8 @@ ms.topic: include If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. ->[!IMPORTANT] ->Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. +> [!IMPORTANT] +> Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. 1. In the Enterprise Mode Site List Manager, click **File \> Import**. diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md index 04470d33af..407e07bf91 100644 --- a/browsers/includes/interoperability-goals-enterprise-guidance.md +++ b/browsers/includes/interoperability-goals-enterprise-guidance.md @@ -26,8 +26,8 @@ You must continue using IE11 if web apps use any of the following: If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. ->[!TIP] ->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). +> [!TIP] +> If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). |Technology |Why it existed |Why we don't need it anymore | @@ -38,4 +38,3 @@ If you have uninstalled IE11, you can download it from the Microsoft Store or th --- - diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md index d15192b9d3..6c1a210e27 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.author: dansimp @@ -18,16 +18,16 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. ->[!Important] ->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. **To create a new change request** 1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. @@ -37,7 +37,7 @@ Employees assigned to the Requester role can create a change request. A change r 2. Fill out the required fields, based on the group and the app, including: - **Group name.** Select the name of your group from the dropdown box. - + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. @@ -59,16 +59,17 @@ Employees assigned to the Requester role can create a change request. A change r - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). - + 4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. - + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. 5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. - + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. ## Next steps + After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md index 8a161b2ffb..a3fce1731d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.author: dansimp @@ -18,18 +18,18 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) ->[!Important] ->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: -- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. - **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md index da309b68cd..1a2c6fc17a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md @@ -20,11 +20,11 @@ ms.date: 10/25/2018 **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). @@ -33,7 +33,7 @@ If you have specific websites and apps that you know have compatibility problems Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. ->[!TIP] +> [!TIP] > If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. @@ -54,8 +54,8 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso - **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. - >[!Important] - >All centrally-made decisions override any locally-made choices. + > [!Important] + > All centrally-made decisions override any locally-made choices. - **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. @@ -121,11 +121,11 @@ There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and - [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. - We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). - [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. - If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md index a4cb639bc5..e35b64b8a4 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md @@ -5,8 +5,8 @@ description: Get answers to commonly asked questions about the Internet Explorer author: dansimp ms.author: dansimp ms.prod: ie11 -ms.assetid: -ms.reviewer: +ms.assetid: +ms.reviewer: audience: itpro manager: dansimp title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions @@ -16,50 +16,50 @@ ms.date: 05/10/2018 # Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions -Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. +Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. ->[!Important] ->If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. +> [!Important] +> If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. -- [Automatic updates delivery process](#automatic-updates-delivery-process) +- [Automatic updates delivery process](#automatic-updates-delivery-process) -- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) +- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) -- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) +- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) ## Automatic Updates delivery process -**Q. Which users will receive Internet Explorer 11 as an important update?** -A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). - -**Q. When is the Blocker Toolkit available?** -A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - -**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** -A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). - -**Q. How long does the blocker mechanism work?** -A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. - -**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** -A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. - +**Q. Which users will receive Internet Explorer 11 as an important update?** +A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). + +**Q. When is the Blocker Toolkit available?** +A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + +**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** +A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). + +**Q. How long does the blocker mechanism work?** +A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. + +**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** +A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. + The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or -other update management solution. - -**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** +other update management solution. + +**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. ## How the Internet Explorer 11 Blocker Toolkit works -**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** -A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. - -**Q. What’s the registry key used to block delivery of Internet Explorer 11?** -A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 - -**Q. What’s the registry key name and values?** +**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** +A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. + +**Q. What’s the registry key used to block delivery of Internet Explorer 11?** +A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 + +**Q. What’s the registry key name and values?** The registry key name is **DoNotAllowIE11**, where: - A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option. @@ -67,23 +67,23 @@ The registry key name is **DoNotAllowIE11**, where: - Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a manual update. -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** -A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. - -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** -A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. - -**Q. How does the provided script work?** +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** +A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** +A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. + +**Q. How does the provided script work?** A. The script accepts one of two command line options: - **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates. - **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates. -**Q. What’s the ADM template file used for?** -A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. - -**Q. Is the tool localized?** +**Q. What’s the ADM template file used for?** +A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. + +**Q. Is the tool localized?** A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. ## Internet Explorer 11 Blocker Toolkit and other update services @@ -91,17 +91,17 @@ A. No. The tool isn’t localized, it’s only available in English (en-us). How **Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center. -**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** -A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. - -**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** +**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** +A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. + +**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** A. You only need to change your settings if: -- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. +- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. -and- -- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. +- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. -and- @@ -112,10 +112,10 @@ If these scenarios apply to your company, see [Internet Explorer 11 delivery thr ## Additional resources -- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) -- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) -- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) +- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) -- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index 3187f8b507..29b8c0ceca 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -14,12 +14,12 @@ manager: dansimp # Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide -The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. +The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices. ->[!IMPORTANT] ->Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary. +> [!IMPORTANT] +> Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary. ## Included technology @@ -41,7 +41,7 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 ## Related topics - [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) -- [Download IEAK 11](ieak-information-and-downloads.md) +- [Download IEAK 11](ieak-information-and-downloads.md) - [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 296dec1688..ea1f1cb9e1 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -6,7 +6,7 @@ author: dansimp ms.author: dansimp ms.prod: ie11 ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) @@ -21,8 +21,8 @@ In addition to the Software License Terms for the Internet Explorer Administrati During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment. - **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website. - >[!IMPORTANT] - >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. + > [!IMPORTANT] + > Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. - **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment. @@ -64,10 +64,10 @@ During installation, you must pick a version of IEAK 11, either **External** or Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. -- **External Distribution** +- **External Distribution** This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers). -- **Internal Distribution** +- **Internal Distribution** This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet. The table below identifies which customizations you may or may not perform based on the mode you selected. @@ -100,8 +100,8 @@ Support for some of the Internet Explorer settings on the wizard pages varies de Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. -- **External Distribution** +- **External Distribution** You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). -- **Internal Distribution - corporate intranet** +- **Internal Distribution - corporate intranet** The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. From 500c91786254f25cd1f142c5d67dd2856f5ea54a Mon Sep 17 00:00:00 2001 From: illfated Date: Tue, 14 Apr 2020 23:22:54 +0200 Subject: [PATCH 14/39] Windows/Unix line endings: replace ^M with NewLine - 5 NewLine replacements for the CR/LF character from Windows --- .../includes/configure-home-button-include.md | 117 ++++++++-------- .../configure-open-edge-with-include.md | 125 +++++++++--------- .../includes/provision-favorites-include.md | 105 +++++++-------- .../send-all-intranet-sites-ie-include.md | 125 +++++++++--------- ...e-enterprise-mode-site-list-mgr-include.md | 45 ++++--- 5 files changed, 261 insertions(+), 256 deletions(-) diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md index 24d2cadb77..90f6acdac2 100644 --- a/browsers/edge/includes/configure-home-button-include.md +++ b/browsers/edge/includes/configure-home-button-include.md @@ -1,58 +1,59 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/28/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -> *Supported versions: Microsoft Edge on Windows 10, version 1809*
-> *Default setting: Disabled or not configured (Show home button and load the Start page)* - - -[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | -| Enabled | 3 | 3 | Hide the home button. | - ---- - - -> [!TIP] -> If you want to make changes to this policy:

  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
- -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Home Button -- **GP name:** ConfigureHomeButton -- **GP element:** ConfigureHomeButtonDropdown -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureHomeButton -- **Value type:** REG_DWORD - -### Related policies - -- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] -- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/28/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +> *Supported versions: Microsoft Edge on Windows 10, version 1809*
+> *Default setting: Disabled or not configured (Show home button and load the Start page)* + + +[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | +| Enabled | 3 | 3 | Hide the home button. | + +--- + + +> [!TIP] +> If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
+ +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Home Button +- **GP name:** ConfigureHomeButton +- **GP element:** ConfigureHomeButtonDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +
diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md index ab0140e30c..273b7fdea4 100644 --- a/browsers/edge/includes/configure-open-edge-with-include.md +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -1,62 +1,63 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - -> *Supported versions: Microsoft Edge on Windows 10, version 1809*
-> *Default setting: Enabled (A specific page or pages)* - -[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - -**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. - -**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

- -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| -| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | -| Enabled | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the previous pages. | -| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | - ---- - -> [!TIP] -> If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Open Microsoft Edge With -- **GP name:** ConfigureOpenMicrosoftEdgeWith -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureOpenEdgeWith -- **Value type:** REG_DWORD - -### Related policies - -- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] -- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - - ---- +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +> *Supported versions: Microsoft Edge on Windows 10, version 1809*
+> *Default setting: Enabled (A specific page or pages)* + +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. + +**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

+ +### Supported values + +| Group Policy | MDM | Registry | Description | +|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| +| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | +| Enabled | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the previous pages. | +| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | + +--- + +> [!TIP] +> If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
+ + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Open Microsoft Edge With +- **GP name:** ConfigureOpenMicrosoftEdgeWith +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureOpenEdgeWith +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] +- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + + +--- diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index 5ec37da07a..739f15e3be 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -1,52 +1,53 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -> *Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
-> *Default setting: Disabled or not configured (Customizable)* - -[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] - - -> [!IMPORTANT] -> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. - -### Supported values - -| Group Policy | Description | Most restricted | -|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
| ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Provision Favorites -- **GP name:** ConfiguredFavorites -- **GP element:** ConfiguredFavoritesPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites -- **Value name:** ConfiguredFavorites -- **Value type:** REG_SZ - -### Related policies -[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +> *Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+> *Default setting: Disabled or not configured (Customizable)* + +[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] + + +> [!IMPORTANT] +> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. + +### Supported values + +| Group Policy | Description | Most restricted | +|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | +| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
| ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Provision Favorites +- **GP name:** ConfiguredFavorites +- **GP element:** ConfiguredFavoritesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** ConfiguredFavorites +- **Value type:** REG_SZ + +### Related policies +[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +
diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index b59221443f..0f909d31d7 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -1,62 +1,63 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -> *Supported versions: Microsoft Edge on Windows 10*
-> *Default setting: Disabled or not configured* - -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] - -> [!TIP] -> Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Send all intranet sites to Internet Explorer 11 -- **GP name:** SendIntranetTraffictoInternetExplorer -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** SendIntranetTraffictoInternetExplorer -- **Value type:** REG_DWORD - -### Related Policies -- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] - -- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] - - -### Related topics -- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. - -- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. - -- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +> *Supported versions: Microsoft Edge on Windows 10*
+> *Default setting: Disabled or not configured* + +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + +> [!TIP] +> Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Send all intranet sites to Internet Explorer 11 +- **GP name:** SendIntranetTraffictoInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** SendIntranetTraffictoInternetExplorer +- **Value type:** REG_DWORD + +### Related Policies +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + +### Related topics +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. + +- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +
diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md index 0b86c29226..31961c97a1 100644 --- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -1,22 +1,23 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. - -> [!IMPORTANT] -> Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. - -1. In the Enterprise Mode Site List Manager, click **File \> Import**. - -2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` - -1. Click **Open**. - -2. Review the alert message about all of your entries being overwritten and click **Yes**. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. + +> [!IMPORTANT] +> Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. + +1. In the Enterprise Mode Site List Manager, click **File \> Import**. + +2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` + +1. Click **Open**. + +2. Review the alert message about all of your entries being overwritten and click **Yes**. From c8975281192dd1c4bd3c4a5c0c348dee13a1486b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 15 Apr 2020 11:08:36 +0500 Subject: [PATCH 15/39] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 0aa1e47937..de36c85817 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -665,7 +665,7 @@ Sign-in a workstation with access equivalent to a _domain user_. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) 19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. 20. Click **Next**. -21. Click **Next** two more times to skip **Scope tags** and **Assignments** steps of the wizard and click **Create**. +21. Click **Next** two more times to skip the **Scope tags** and **Assignments** steps of the wizard and click **Create**. ### Assign Group to the WHFB Certificate Enrollment Certificate Profile Sign-in a workstation with access equivalent to a _domain user_. From a8177276758c91c8f16d88992ac3f3720f53fc4f Mon Sep 17 00:00:00 2001 From: mapalko Date: Wed, 15 Apr 2020 11:47:57 -0700 Subject: [PATCH 16/39] Added note about MDMWinsOverGP --- .../hello-for-business/hello-manage-in-organization.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 8767eadd0d..b957c2cc87 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -351,8 +351,8 @@ The following table lists the MDM policy settings that you can configure for Win

>[!NOTE] -> InWindows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN. - +> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN. + ## Policy conflicts from multiple policy sources Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. @@ -361,6 +361,9 @@ Policies for Windows Hello for Business are enforced using the following hierarc Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis. +>[!Note] +> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. + >Examples > >The following are configured using computer Group Policy: From 303eb1b00cb29b6efe40616944ad4be59aa315b7 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 16 Apr 2020 17:11:25 +0500 Subject: [PATCH 17/39] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index de36c85817..1df6239643 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -651,7 +651,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 9. Select **User** as a certificate type. 10. Configure **Certificate validity period** to match your organization. > [!IMPORTANT] - > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. + > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. 11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. 12. Select **Custom** from the **Subject name format** list. From 01f7774740c59d3811fac1765a388974951e0a58 Mon Sep 17 00:00:00 2001 From: mapalko Date: Thu, 16 Apr 2020 15:18:00 -0700 Subject: [PATCH 18/39] updating PIN complexity MDM settings --- .../hello-manage-in-organization.md | 177 +++++------------- 1 file changed, 46 insertions(+), 131 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index b957c2cc87..93619515f1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -15,26 +15,27 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 4/2/2020 +ms.date: 10/18/2017 --- # Manage Windows Hello for Business in your organization **Applies to** -- Windows 10 + +- Windows 10 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. >[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. +>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. > ->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. +>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. > >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business. - + ## Group Policy settings for Windows Hello for Business -The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. +The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. > [!NOTE] > Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**. @@ -42,15 +43,13 @@ The following table lists the Group Policy settings that you can configure for W - - @@ -58,37 +57,15 @@ The following table lists the Group Policy settings that you can configure for W - - - - - - - - - - - - - - - - - - - - - - - -< + + - + - + - - - - - - - - - - - - - - - + - + + + + + + + + + + + + + @@ -306,7 +275,7 @@ The following table lists the MDM policy settings that you can configure for Win @@ -315,29 +284,11 @@ The following table lists the MDM policy settings that you can configure for Win - - - - - - - - - - - -
PolicyScope Options
Use Windows Hello for Business Computer or user -

Not configured: Device does not provision Windows Hello for Business for any user.

+

Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

Disabled: Device does not provision Windows Hello for Business for any user.

Use a hardware security device Computer

Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

-

Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.

+

Enabled: Windows Hello for Business will only be provisioned using TPM.

Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Use certificate for on-premises authenticationComputer or user -

Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication.

-

Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.

-

Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.

-
Use PIN recoveryComputer -

Added in Windows 10, version 1703

-

Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

-

Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

-

Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

-
Use biometrics Computer

Not configured: Biometrics can be used as a gesture in place of a PIN.

Enabled: Biometrics can be used as a gesture in place of a PIN.

@@ -98,7 +75,6 @@ The following table lists the Group Policy settings that you can configure for W
PIN Complexity Require digitsComputer

Not configured: Users must include a digit in their PIN.

Enabled: Users must include a digit in their PIN.

@@ -107,7 +83,6 @@ The following table lists the Group Policy settings that you can configure for W
Require lowercase lettersComputer

Not configured: Users cannot use lowercase letters in their PIN.

Enabled: Users must include at least one lowercase letter in their PIN.

@@ -116,7 +91,6 @@ The following table lists the Group Policy settings that you can configure for W
Maximum PIN lengthComputer

Not configured: PIN length must be less than or equal to 127.

Enabled: PIN length must be less than or equal to the number you specify.

@@ -125,7 +99,6 @@ The following table lists the Group Policy settings that you can configure for W
Minimum PIN lengthComputer

Not configured: PIN length must be greater than or equal to 4.

Enabled: PIN length must be greater than or equal to the number you specify.

@@ -134,7 +107,6 @@ The following table lists the Group Policy settings that you can configure for W
ExpirationComputer

Not configured: PIN does not expire.

Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.

@@ -143,7 +115,6 @@ The following table lists the Group Policy settings that you can configure for W
HistoryComputer

Not configured: Previous PINs are not stored.

Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.

@@ -154,7 +125,6 @@ The following table lists the Group Policy settings that you can configure for W
Require special charactersComputer

Not configured: Users cannot include a special character in their PIN.

Enabled: Users must include at least one special character in their PIN.

@@ -163,7 +133,6 @@ The following table lists the Group Policy settings that you can configure for W
Require uppercase lettersComputer

Not configured: Users cannot include an uppercase letter in their PIN.

Enabled: Users must include at least one uppercase letter in their PIN.

@@ -171,9 +140,9 @@ The following table lists the Group Policy settings that you can configure for W
Phone Sign-inUse Phone Sign-inComputer>Phone Sign-in +

Use Phone Sign-in

Not currently supported.

@@ -198,7 +167,7 @@ The following table lists the MDM policy settings that you can configure for Win
UsePassportForWork Device or userDevice True

True: Windows Hello for Business will be provisioned for all users on the device.

@@ -210,7 +179,7 @@ The following table lists the MDM policy settings that you can configure for Win
RequireSecurityDevice Device or userDevice False

True: Windows Hello for Business will only be provisioned using TPM.

@@ -218,28 +187,6 @@ The following table lists the MDM policy settings that you can configure for Win
Exclude Security DeviceTPM12DeviceFalse -

Added in Windows 10, version 1703

-

True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.

-

False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.

-
EnablePinRecoveryDevice or userFalse -

Added in Windows 10, version 1703

-

True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

-

False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

-
Biometrics

UseBiometrics

@@ -270,19 +217,41 @@ The following table lists the MDM policy settings that you can configure for Win
Digits Device or user2 1 -

1: Numbers are not allowed.

-

2: At least one number is required.

+

0: Numbers are allowed.

+

1: At least one number is required.

+

2: Numbers are not allowed.

Lowercase letters Device or user1 2 -

1: Lowercase letters are not allowed.

-

2: At least one lowercase letter is required.

+

0: Lowercase letters are allowed.

+

1: At least one lowercase letter is required.

+

2: Lowercase letters are not allowed.

+
Special charactersDevice or user2 +

0: Special characters are allowed.

+

1: At least one special character is required.

+

2: Special characters are not allowed.

+
Uppercase lettersDevice or user2 +

0: Uppercase letters are allowed.

+

1: At least one uppercase letter is required.

+

2: Uppercase letters are not allowed.

Device or user 0 -

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire. +

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.

Device or user 0 -

Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. +

Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.

Special charactersDevice or user1 -

1: Special characters are not allowed.

-

2: At least one special character is required.

-
Uppercase lettersDevice or user1 -

1: Uppercase letters are not allowed

-

2: At least one uppercase letter is required

-
Remote

UseRemotePassport

@@ -351,47 +302,11 @@ The following table lists the MDM policy settings that you can configure for Win
>[!NOTE] -> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN. - -## Policy conflicts from multiple policy sources - -Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. - -Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source. - -Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis. - ->[!Note] -> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. - ->Examples -> ->The following are configured using computer Group Policy: -> ->- Use Windows Hello for Business - Enabled ->- User certificate for on-premises authentication - Enabled ->- Require digits - Enabled ->- Minimum PIN length - 6 -> ->The following are configured using device MDM Policy: -> ->- UsePassportForWork - Disabled ->- UseCertificateForOnPremAuth - Disabled ->- MinimumPINLength - 8 ->- Digits - 1 ->- LowercaseLetters - 1 ->- SpecialCharacters - 1 -> ->Enforced policy set: -> ->- Use Windows Hello for Business - Enabled ->- Use certificate for on-premises authentication - Enabled ->- Require digits - Enabled ->- Minimum PIN length - 6 +> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN. ## How to use Windows Hello for Business with Azure Active Directory -There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: +There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: - **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. - **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. From 68fdbf25bb8c1c5419bb0a4b2fe6048529d02df4 Mon Sep 17 00:00:00 2001 From: mapalko Date: Thu, 16 Apr 2020 15:38:37 -0700 Subject: [PATCH 19/39] updating PIN complexity MDM settings --- .../hello-manage-in-organization.md | 113 ++++++++++++++++-- 1 file changed, 101 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 93619515f1..0656bcd49c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -15,13 +15,12 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 10/18/2017 +ms.date: 4/16/2017 --- # Manage Windows Hello for Business in your organization **Applies to** - - Windows 10 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. @@ -35,7 +34,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will ## Group Policy settings for Windows Hello for Business -The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. +The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. > [!NOTE] > Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**. @@ -43,13 +42,15 @@ The following table lists the Group Policy settings that you can configure for W + + @@ -57,15 +58,37 @@ The following table lists the Group Policy settings that you can configure for W + + + + + + + + + + + + + + + + + + + + + - - + + - + - + + + + + + + + + + + + + + +
PolicyScope Options
Use Windows Hello for Business Computer or user -

Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

+

Not configured: Device does not provision Windows Hello for Business for any user.

Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

Disabled: Device does not provision Windows Hello for Business for any user.

Use a hardware security device Computer

Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

-

Enabled: Windows Hello for Business will only be provisioned using TPM.

+

Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.

Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Use certificate for on-premises authenticationComputer or user +

Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication.

+

Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.

+

Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.

+
Use PIN recoveryComputer +

Added in Windows 10, version 1703

+

Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+

Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

+

Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+
Use biometrics Computer

Not configured: Biometrics can be used as a gesture in place of a PIN.

Enabled: Biometrics can be used as a gesture in place of a PIN.

@@ -75,6 +98,7 @@ The following table lists the Group Policy settings that you can configure for W
PIN Complexity Require digitsComputer

Not configured: Users must include a digit in their PIN.

Enabled: Users must include a digit in their PIN.

@@ -83,6 +107,7 @@ The following table lists the Group Policy settings that you can configure for W
Require lowercase lettersComputer

Not configured: Users cannot use lowercase letters in their PIN.

Enabled: Users must include at least one lowercase letter in their PIN.

@@ -91,6 +116,7 @@ The following table lists the Group Policy settings that you can configure for W
Maximum PIN lengthComputer

Not configured: PIN length must be less than or equal to 127.

Enabled: PIN length must be less than or equal to the number you specify.

@@ -99,6 +125,7 @@ The following table lists the Group Policy settings that you can configure for W
Minimum PIN lengthComputer

Not configured: PIN length must be greater than or equal to 4.

Enabled: PIN length must be greater than or equal to the number you specify.

@@ -107,6 +134,7 @@ The following table lists the Group Policy settings that you can configure for W
ExpirationComputer

Not configured: PIN does not expire.

Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.

@@ -115,6 +143,7 @@ The following table lists the Group Policy settings that you can configure for W
HistoryComputer

Not configured: Previous PINs are not stored.

Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.

@@ -125,6 +154,7 @@ The following table lists the Group Policy settings that you can configure for W
Require special charactersComputer

Not configured: Users cannot include a special character in their PIN.

Enabled: Users must include at least one special character in their PIN.

@@ -133,6 +163,7 @@ The following table lists the Group Policy settings that you can configure for W
Require uppercase lettersComputer

Not configured: Users cannot include an uppercase letter in their PIN.

Enabled: Users must include at least one uppercase letter in their PIN.

@@ -140,9 +171,9 @@ The following table lists the Group Policy settings that you can configure for W
>Phone Sign-in -

Use Phone Sign-in

+		Phone Sign-inUse Phone Sign-inComputer

Not currently supported.

@@ -167,7 +198,7 @@ The following table lists the MDM policy settings that you can configure for Win
UsePassportForWork DeviceDevice or user True

True: Windows Hello for Business will be provisioned for all users on the device.

@@ -179,7 +210,7 @@ The following table lists the MDM policy settings that you can configure for Win
RequireSecurityDevice DeviceDevice or user False

True: Windows Hello for Business will only be provisioned using TPM.

@@ -187,6 +218,28 @@ The following table lists the MDM policy settings that you can configure for Win
Exclude Security DeviceTPM12DeviceFalse +

Added in Windows 10, version 1703

+

True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.

+

False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.

+
EnablePinRecoveryDevice or userFalse +

Added in Windows 10, version 1703

+

True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

+

False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+
Biometrics

UseBiometrics

@@ -302,11 +355,47 @@ The following table lists the MDM policy settings that you can configure for Win
>[!NOTE] -> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN. +> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN. + +## Policy conflicts from multiple policy sources + +Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. + +Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source. + +Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis. + +>[!NOTE] +> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. + +>Examples +> +>The following are configured using computer Group Policy: +> +>- Use Windows Hello for Business - Enabled +>- User certificate for on-premises authentication - Enabled +>- Require digits - Enabled +>- Minimum PIN length - 6 +> +>The following are configured using device MDM Policy: +> +>- UsePassportForWork - Disabled +>- UseCertificateForOnPremAuth - Disabled +>- MinimumPINLength - 8 +>- Digits - 1 +>- LowercaseLetters - 1 +>- SpecialCharacters - 1 +> +>Enforced policy set: +> +>- Use Windows Hello for Business - Enabled +>- Use certificate for on-premises authentication - Enabled +>- Require digits - Enabled +>- Minimum PIN length - 6d ## How to use Windows Hello for Business with Azure Active Directory -There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: +There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: - **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. - **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. From 9087c2b6a904f95fe5395d3ab842afc4cfc24662 Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Thu, 16 Apr 2020 16:51:10 -0700 Subject: [PATCH 20/39] Update windows-defender-smartscreen-set-individual-device.md --- ...ender-smartscreen-set-individual-device.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index 1bdb879cd4..b0e7163ee4 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -1,7 +1,7 @@ --- -title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10) -description: Learn how employees can use Windows Security to set up Windows Defender SmartScreen. Windows Defender SmartScreen protects users from running malicious apps. -keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen +title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows 10) +description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps. +keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -14,22 +14,22 @@ manager: dansimp ms.author: macapara --- -# Set up and use Windows Defender SmartScreen on individual devices +# Set up and use Microsoft Defender SmartScreen on individual devices **Applies to:** - Windows 10, version 1703 - Windows 10 Mobile - Microsoft Edge -Windows Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. +Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. -## How users can use Windows Security to set up Windows Defender SmartScreen -Starting with Windows 10, version 1703, users can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless and administrator has used Group Policy or Microsoft Intune to prevent it. +## How users can use Windows Security to set up Microsoft Defender SmartScreen +Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless and administrator has used Group Policy or Microsoft Intune to prevent it. >[!NOTE] >If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. -**To use Windows Security to set up Windows Defender SmartScreen on a device** +**To use Windows Security to set up Microsoft Defender SmartScreen on a device** 1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**. 2. In the **Reputation-based protection** screen, choose from the following options: @@ -38,13 +38,13 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue. - - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - - In the **Windows Defender SmartScreen for Microsoft Edge** area: + - In the **Microsoft Defender SmartScreen for Microsoft Edge** area: - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge. - - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - In the **Potentially unwanted app blocking** area: - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria#potentially-unwanted-application-pua). @@ -54,21 +54,21 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps. - - In the **Windows Defender SmartScreen from Microsoft Store apps** area: + - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area: - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue. - - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png) + ![Windows Security, Microsoft Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png) -## How Windows Defender SmartScreen works when a user tries to run an app -Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. +## How Microsoft Defender SmartScreen works when a user tries to run an app +Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. -By default, users can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). +By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended). ## How users can report websites as safe or unsafe -Windows Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. +Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. **To report a website as safe from the warning message** - On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. @@ -82,7 +82,7 @@ Windows Defender SmartScreen can be configured to warn users from going to a pot ## Related topics - [Threat protection](../index.md) -- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md) +- [Microsoft Defender SmartScreen overview](windows-defender-smartscreen-overview.md) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). From fc718902ee90ae5717c54db75de87de1d6960019 Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Thu, 16 Apr 2020 17:03:45 -0700 Subject: [PATCH 21/39] Update windows-defender-smartscreen-set-individual-device.md --- .../windows-defender-smartscreen-set-individual-device.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index b0e7163ee4..dd2eb47e6c 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -24,7 +24,7 @@ ms.author: macapara Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. ## How users can use Windows Security to set up Microsoft Defender SmartScreen -Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless and administrator has used Group Policy or Microsoft Intune to prevent it. +Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it. >[!NOTE] >If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. From 53f3baeef6d285c955bb3f6938cae303af84a816 Mon Sep 17 00:00:00 2001 From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com> Date: Fri, 17 Apr 2020 01:56:14 -0700 Subject: [PATCH 22/39] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...indows-operating-system-components-to-microsoft-services.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index eadc81def6..171740e483 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -40,7 +40,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] >Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release. >[!Warning] ->If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. +> If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) @@ -1898,4 +1898,3 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx). - From bc5214eb980784895b9c5ccb196b805ccd3067fd Mon Sep 17 00:00:00 2001 From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com> Date: Fri, 17 Apr 2020 01:56:25 -0700 Subject: [PATCH 23/39] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 171740e483..8bb8bf8e3c 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -39,7 +39,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] >[!Note] >Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release. ->[!Warning] +> [!Warning] > If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) From be13208188f92bef16c69a83f31be131e16ad8d6 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Fri, 17 Apr 2020 09:01:51 -0700 Subject: [PATCH 24/39] pencil edit --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8bb8bf8e3c..6dd9518dcf 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.localizationpriority: high audience: ITPro author: medgarmedgar -ms.author: v-medgar +ms.author: robsize manager: robsize ms.collection: M365-security-compliance ms.topic: article From 8e2412b0e93fc1f8e868b7a7aebc9d16ff2c985c Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Fri, 17 Apr 2020 09:23:48 -0700 Subject: [PATCH 25/39] Remove exact retirement dates In response to Comms team feedback. Will add dates back when we know more. --- windows/deployment/update/update-compliance-monitor.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 255adfa845..102ee54ac9 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -18,9 +18,9 @@ ms.topic: article # Monitor Windows Updates with Update Compliance > [!IMPORTANT] -> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. A few retirements are planned, noted below, but are placed on hold until the current situation stabilizes. -> * As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). -> * As of March 31, 2020, The Perspectives feature of Update Compliance is no longer supported and will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. +> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. A few retirements are planned, noted below, but are placed **on hold** until the current situation stabilizes. +> * The Windows Defender Antivirus reporting feature of Update Compliance will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> * As of March 31, 2020, The Perspectives feature of Update Compliance will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction From b922559c8c016ad26ef2cfda1b20569538db0435 Mon Sep 17 00:00:00 2001 From: pk2311 <37248711+pk2311@users.noreply.github.com> Date: Fri, 17 Apr 2020 22:37:20 +0530 Subject: [PATCH 26/39] ### Existing Enterprise deployments I have just added "caution" after the first paragraph, i am making this comment after doing testing in my customer's environment. If OOBE is automated using unatend.xml, the Firmware-embedded Windows 10 activation doesn't happen automatically, we need to manually activate and then enroll with AAD for E3 license switch to happen --- windows/deployment/windows-10-subscription-activation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index d953b17ab2..478b92108d 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -191,6 +191,8 @@ When you have the required Azure AD subscription, group-based licensing is the p If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. +Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience) + If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: From bb839997863630700744f6b93b0e74bc40c0277a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 17 Apr 2020 11:46:55 -0700 Subject: [PATCH 27/39] AIR fixes --- .../auto-investigation-action-center.md | 34 ++++++++++--------- .../manage-auto-investigation.md | 22 +++++++----- 2 files changed, 32 insertions(+), 24 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index fdb2c392fa..753419a56d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -18,7 +18,7 @@ ms.topic: article # View details and results of automated investigations -Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)). +During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is configured for your organization, some actions are taken automatically. If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation. >[!NOTE] >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. @@ -27,12 +27,13 @@ Pending and completed [remediation actions](manage-auto-investigation.md#remedia ![Action center page](images/action-center.png) -The action center consists of two main tabs, as described in the following table. - -|Tab |Description | -|---------|---------| -|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject.

**NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected). | -|History |Acts as an audit log for all of the following:
- All actions taken by automated investigation and remediation in Microsoft Defender ATP
Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
- All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone)
- Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) | +The action center consists of two main tabs: **Pending actions** and **History**. +- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected). +- **History** Acts as an audit log for all of the following:
+ - Remediation actions that were taken as a result of an automated investigation + - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) + - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone) + - Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) Use the **Customize columns** menu to select columns that you'd like to show or hide. @@ -70,17 +71,18 @@ An automated investigation can be have one of the following status values: |Status |Description | |---------|---------| -| No threats found | No malicious entities found during the investigation. | -| Failed | A problem has interrupted the investigation, preventing it from completing. | -| Partially remediated | A problem prevented the remediation of some malicious entities. | -| Pending action | Remediation actions require review and approval. | +| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. | +| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. | +| No threats found | The investigation has finished and no threats were identified.
If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). | +| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. | +| Remediated | The investigation finished and all actions were approved (fully remediated). | +| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. | +| Terminated by system | The investigation stopped. An investigation can stop for several reasons:
- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
- There are too many actions in the list.
Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. | +| Failed | At least one investigation analyzer ran into a problem where it could not complete properly.

If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. | +| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. | | Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | -| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. | -| Running | Investigation ongoing. Malicious entities found will be remediated. | -| Remediated | Malicious entities found were successfully remediated. | -| Terminated by system | Investigation was stopped by the system. | | Terminated by user | A user stopped the investigation before it could complete. | -| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | + ## View details about an automated investigation diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index a9250abb97..62199ea6b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -24,17 +24,17 @@ ms.topic: conceptual When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically: -- Quarantine file -- Remove registry key -- Kill process -- Stop service -- Remove registry key -- Disable driver -- Remove scheduled task +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Remove a registry key +- Disable a driver +- Remove a scheduled task Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible. This helps your automated investigations complete in a timely manner. -No actions are taken when evidence is determined to be *Clean*. +No actions are taken when evidence is determined to be *No threats found*. In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions). @@ -61,6 +61,12 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and 4. Select an item to view more details about that remediation action. +## Next steps + +- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) + +- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response) + ## Related articles - [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) From bac04464feed4ee422704ba3842bc37a47beca39 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 17 Apr 2020 11:54:26 -0700 Subject: [PATCH 28/39] Update manage-auto-investigation.md --- .../microsoft-defender-atp/manage-auto-investigation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 62199ea6b6..f4da4cd929 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -21,7 +21,7 @@ ms.topic: conceptual ## Remediation actions -When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. +When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically: - Quarantine a file From cdd2514612eb0911ed6195264cd15044027abcbc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 17 Apr 2020 11:56:54 -0700 Subject: [PATCH 29/39] Update manage-auto-investigation.md --- .../microsoft-defender-atp/manage-auto-investigation.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index f4da4cd929..a9c3330152 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -32,15 +32,15 @@ When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defe - Disable a driver - Remove a scheduled task -Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible. This helps your automated investigations complete in a timely manner. +Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible so that you automated investigations complete in a timely manner. -No actions are taken when evidence is determined to be *No threats found*. +No actions are taken when a verdict of *No threats found* is reached for a piece of evidence. In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions). ## Review pending actions -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard. +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard. 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. @@ -53,7 +53,7 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and ## Review completed actions -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard. +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard. 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. From dd93974f67f242862cd54352440c8462e6e50f62 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 17 Apr 2020 11:59:21 -0700 Subject: [PATCH 30/39] Acrolinx fixes --- .../auto-investigation-action-center.md | 4 ++-- .../microsoft-defender-atp/manage-auto-investigation.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index 753419a56d..dff6e8f43b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -29,7 +29,7 @@ During and after an automated investigation, certain remediation actions can be The action center consists of two main tabs: **Pending actions** and **History**. - **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected). -- **History** Acts as an audit log for all of the following:
+- **History** Acts as an audit log for all of the following items:
- Remediation actions that were taken as a result of an automated investigation - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone) @@ -60,7 +60,7 @@ On the **Investigations** page, you can view details and use filters to focus on |**Status** |(See [Automated investigation status](#automated-investigation-status)) | |**Triggering alert** | The alert that initiated the automated investigation | |**Detection source** |The source of the alert that initiated the automated investigation. | -|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. | +|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. | |**Threat** |The category of threat detected during the automated investigation. | |**Tags** |Filter using manually added tags that capture the context of an automated investigation.| |**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.| diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index a9c3330152..8ae4bbb815 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -46,7 +46,7 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and 3. Review any items on the **Pending** tab. - Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. + Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations. From 746f5c00d195bc1aabd8c14fe0c6ae881d3d3c1f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 17 Apr 2020 12:00:42 -0700 Subject: [PATCH 31/39] Update auto-investigation-action-center.md --- .../auto-investigation-action-center.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index dff6e8f43b..bf12057c2b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -18,7 +18,9 @@ ms.topic: article # View details and results of automated investigations -During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is configured for your organization, some actions are taken automatically. If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation. +During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically. + +If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation. >[!NOTE] >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. From 804093eecac99267ddabaa0d464836963ed33edf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 17 Apr 2020 12:02:01 -0700 Subject: [PATCH 32/39] Update auto-investigation-action-center.md --- .../auto-investigation-action-center.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index bf12057c2b..ed3177a88f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -61,11 +61,11 @@ On the **Investigations** page, you can view details and use filters to focus on |---------|---------| |**Status** |(See [Automated investigation status](#automated-investigation-status)) | |**Triggering alert** | The alert that initiated the automated investigation | -|**Detection source** |The source of the alert that initiated the automated investigation. | -|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. | -|**Threat** |The category of threat detected during the automated investigation. | -|**Tags** |Filter using manually added tags that capture the context of an automated investigation.| -|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.| +|**Detection source** |The source of the alert that initiated the automated investigation | +|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. | +|**Threat** |The category of threat detected during the automated investigation | +|**Tags** |Filter using manually added tags that capture the context of an automated investigation| +|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't| ## Automated investigation status From 0525248210e71a2fdf198583f15f10b29d546073 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 17 Apr 2020 12:02:26 -0700 Subject: [PATCH 33/39] Update auto-investigation-action-center.md --- .../microsoft-defender-atp/auto-investigation-action-center.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index ed3177a88f..a63a18d41e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -69,7 +69,7 @@ On the **Investigations** page, you can view details and use filters to focus on ## Automated investigation status -An automated investigation can be have one of the following status values: +An automated investigation can have one of the following status values: |Status |Description | |---------|---------| From 22e8f670f28dd7ac00bdad26548f5365f50cc62d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 17 Apr 2020 12:03:25 -0700 Subject: [PATCH 34/39] Update auto-investigation-action-center.md --- .../auto-investigation-action-center.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index a63a18d41e..f01105729e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -96,7 +96,7 @@ In this view, you'll see the name of the investigation, when it started and ende ### Investigation graph -The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. +The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. A progress ring shows two status indicators: - Orange ring - shows the pending portion of the investigation @@ -112,7 +112,7 @@ From this view, you can also view and add comments and tags about the investigat ### Alerts -The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. +The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned. Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. From 349e7089afa80eefdc3ae6aa6bff2243ff5d8ebd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 17 Apr 2020 12:04:22 -0700 Subject: [PATCH 35/39] Update auto-investigation-action-center.md --- .../auto-investigation-action-center.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index f01105729e..eceb1d2833 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -128,7 +128,7 @@ Machines that show the same threat can be added to an ongoing investigation and Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users. -Clicking on an machine name brings you the machine page. +Clicking on a machine name brings you the machine page. ### Evidence @@ -150,7 +150,7 @@ You can also click on an action to bring up the details pane where you'll see in ### Pending actions -If there are pending actions on an automated investigation, you'll see a pop up similar to the following image. +If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image. ![Image of pending actions](images/pending-actions.png) From fc8bda7dd4318f9ea4be91117ba188131b06c0eb Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 17 Apr 2020 13:14:25 -0700 Subject: [PATCH 36/39] remove wip --- .openpublishing.redirection.json | 5 + .../how-wip-works-with-labels.md | 122 ------------------ 2 files changed, 5 insertions(+), 122 deletions(-) delete mode 100644 windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3b8c2ce3db..066d1d1e75 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -86,6 +86,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md", +"redirect_url": "https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip", +"redirect_document_id": false +}, +{ "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md", "redirect_url": "https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure", "redirect_document_id": false diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md deleted file mode 100644 index 684b78d8e2..0000000000 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10) -description: Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. -keywords: sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dulcemontemayor -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/30/2019 -ms.reviewer: ---- - -# How Windows Information Protection (WIP) protects a file that has a sensitivity label - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows 10, version 1903 -- Windows 10, version 1809 - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. -Microsoft information protection technologies work together as an integrated solution to help enterprises: - -- Discover corporate data on endpoint devices -- Classify and label information based on its content and context -- Protect corporate data from unintentionally leaving to non-business environments -- Enable audit reports of user interactions with corporate data on endpoint devices - -Microsoft information protection technologies include: - -- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. - -- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services. - -- [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization. - -## How WIP protects sensitivity labels with endpoint data loss prevention - -You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center. -When you [create a sensitivity label](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels), you can specify that endpoint data loss prevention applies to content with that label. - -![Endpoint data loss prevention](images/sensitivity-label-endpoint-dlp.png) - -Office app users can choose a sensitivity label from a menu and apply it to a file. - -![Sensitivity labels](images/sensitivity-labels.png) - -WIP enforces default endpoint protection as follows: - -- If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label -- If endpoint data loss prevention is not enabled: - - The device enforces work protection to a file downloaded from a work site - - The device does not enforce work protection to a file downloaded from a personal site - -Here's an example where a file remains protected without any work context beyond the sensitivity label: - -1. Sara creates a PDF file on a Mac and labels it as **Confidential**. -1. She emails the PDF from her Gmail account to Laura. -1. Laura opens the PDF file on her Windows 10 device. -1. Windows Defender Advanced Threat Protection (Windows Defender ATP) scans Windows 10 for any file that gets modified or created, including files that were created on a personal site. -1. Windows Defender ATP triggers WIP policy. -1. WIP policy protects the file even though it came from a personal site. - -## How WIP protects automatically classified files - -The next sections cover how Windows Defender ATP extends discovery and protection of sensitive information with improvements in Windows 10 version 1903. - -### Discovery - -Windows Defender ATP can extract the content of the file itself and evaluate whether it contains sensitive information types such as credit card numbers or employee ID numbers. -When you create a sensitivity label, you can specify that the label be added to any file that contains a sensitive information type. - -![Sensitivity labels](images/sensitivity-label-auto-label.png) - -A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on. -You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. - -### Protection - -When a file is created or edited on a Windows 10 endpoint, Windows Defender ATP extracts the content and evaluates if it contains any default or custom sensitive information types that have been defined. -If the file has a match, Windows Defender ATP applies endpoint data loss prevention even if the file had no label previously. - -Windows Defender ATP is integrated with Azure Information Protection for data discovery and reports sensitive information types that were discovered. -Azure Information Protection aggregates the files with sensitivity labels and the sensitive information types they contain across the enterprise. - -![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) - -You can see sensitive information types in Microsoft 365 compliance under **Classifications**. Default sensitive information types have Microsoft as the publisher. The publisher for custom types is the tenant name. - -![Sensitive information types](images/sensitive-info-types.png) - ->[!NOTE] ->Automatic classification does not change the file itself, but it applies protection based on the label. ->WIP protects a file that contains a sensitive information type as a work file. ->Azure Information Protection works differently in that it extends a file with a new attribute so the protection persists if the file is copied. - -## Prerequisites - -- Endpoint data loss prevention requires Windows 10, version 1809 -- Auto labelling requires Windows 10, version 1903 -- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy -- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center -- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md) - - - - - - - - - From 7e4ea2c73aa4e800d8671ba946ef1e7804b96ffc Mon Sep 17 00:00:00 2001 From: mapalko Date: Fri, 17 Apr 2020 14:04:42 -0700 Subject: [PATCH 37/39] minor edits in repsonse to mlindgren feedback --- .../hello-manage-in-organization.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 0656bcd49c..18f6f3dbf0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -83,6 +83,10 @@ The following table lists the Group Policy settings that you can configure for W

Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+

+ +For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md). +

@@ -218,7 +222,7 @@ The following table lists the MDM policy settings that you can configure for Win -Exclude Security Device +ExcludeSecurityDevice TPM12 Device False @@ -237,6 +241,10 @@ The following table lists the MDM policy settings that you can configure for Win

Added in Windows 10, version 1703

True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+

+ +For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md). +

@@ -272,9 +280,9 @@ The following table lists the MDM policy settings that you can configure for Win Device or user 1 -

0: Numbers are allowed.

-

1: At least one number is required.

-

2: Numbers are not allowed.

+

0: Digits are allowed.

+

1: At least one digit is required.

+

2: Digits are not allowed.

From c55560820f22d8bbad3c15d4f2070feb0db514a9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 17 Apr 2020 16:34:57 -0700 Subject: [PATCH 38/39] Tidied a cross reference --- .../create-change-request-enterprise-mode-portal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md index 8f33595d7e..867bb143b8 100644 --- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md @@ -70,4 +70,4 @@ Employees assigned to the Requester role can create a change request. A change r - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. ## Next steps -After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md). From 860e752cbc5589a2ee8bb8d707a4bccfccc7e549 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 17 Apr 2020 16:35:40 -0700 Subject: [PATCH 39/39] Tidied a cross reference --- .../create-change-request-enterprise-mode-portal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md index 6c1a210e27..278408ab38 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -72,4 +72,4 @@ Employees assigned to the Requester role can create a change request. A change r ## Next steps -After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).