diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index b82d427482..d0cb5eb932 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 02/16/2018 +ms.date: 03/06/2018 ms.localizationpriority: medium --- @@ -16,6 +16,12 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## March 2018 + +New or changed topic | Description +--- | --- +[Create and test a device account (Surface Hub)](create-and-test-a-device-account-surface-hub.md) | Added section for account verification and testing, with link to new Surface Hub Hardware Diagnostic app. + ## February 2018 New or changed topic | Description diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md index 470db2937e..cc5d233b08 100644 --- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 07/27/2017 +ms.date: 03/06/2018 ms.localizationpriority: medium --- @@ -57,7 +57,9 @@ For detailed steps using PowerShell to provision a device account, choose an opt If you prefer to use a graphical user interface (UI), some steps can be done using UI instead of PowerShell. For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md). +## Account verification and testing +There are two methods available that you can use to validate and test a Surface Hub device account: [account verifications scripts](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts) and the [Surface Hub Hardware Diagnostic app](https://www.microsoft.com/store/apps/9nblggh51f2g). The account verification script will validate a previously-created device account using PowerShell from your desktop. The Surface Hub Hardware Diagnostic app is installed on your Surface Hub and provides detailed feedback about signin and communication failures. Both are valuable tools to test newly created device accounts and should be used to ensure optimal account availability.   diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 7e530429bf..735c1a071f 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -147,7 +147,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | | --- | --- | --- |---- | --- | --- | -| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes | +| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes | | Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. diff --git a/education/index.md b/education/index.md index 386a59f34f..3e75f1c5ee 100644 --- a/education/index.md +++ b/education/index.md @@ -4,6 +4,7 @@ hide_bc: true title: Microsoft 365 Education documentation and resources | Microsoft Docs description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. author: CelesteDG +ms.topic: hub-page ms.author: celested ms.date: 10/30/2017 --- @@ -696,4 +697,4 @@ ms.date: 10/30/2017 - \ No newline at end of file + diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e7ed3131c8..1f6269d889 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 02/02/2018 +ms.date: 03/02/2018 --- # Configuration service provider reference @@ -1127,6 +1127,34 @@ Footnotes: + +[eUICCs CSP](euiccs-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark3check mark3check mark3check mark3check mark3check mark3
+ + + + [FileSystem CSP](filesystem-csp.md) diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 5062ee119e..2ad3ca1434 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -7,11 +7,15 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/22/2017 +ms.date: 03/01/2018 --- # EnterpriseModernAppManagement CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). > [!Note] @@ -359,6 +363,20 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` +**.../*PackageFamilyName*/MaintainProcessorArchitectureOnUpdate** +Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + +Supported operations are Add, Get, Delete, and Replace. Value type is integer. + +Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). + +|Applicability Setting |CSP state |Result | +|---------|---------|---------| +|True |Not configured |X86 flavor is picked | +|True |Enabled |X86 flavor is picked | +|True |Disabled |X86 flavor is picked | +|False (not set) |Not configured |X64 flavor is picked | + **AppInstallation**

Required node. Used to perform app installation. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 335ebd258e..7c3c1c855b 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -7,899 +7,928 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/05/2017 +ms.date: 03/01/2018 --- # EnterpriseModernAppManagement DDF + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1803. ``` syntax ]> + "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd" + []> - 1.2 - + 1.2 + EnterpriseModernAppManagement ./Vendor/MSFT - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - AppManagement + AppManagement + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + EnterpriseID + + + + + + + + + + + + + + + + + + + + PackageFamilyName + + + + + - - - - - - - - - - - - - - - EnterpriseID - - - + + + + + + + + + + + + + + + PackageFullName + + + - - - - - - - - - - - - - - - - - PackageFamilyName - - - - - - - - - - - - - - - - - - - - - - PackageFullName - - - - - - Name - - - - - - - - - - - - - - - text/plain - - - - - Version - - - - - - - - - - - - - - - text/plain - - - - - Publisher - - - - - - - - - - - - - - - text/plain - - - - - Architecture - - - - - - - - - - - - - - - text/plain - - - - - InstallLocation - - - - - - - - - - - - - - - text/plain - - - - - IsFramework - - - - - - - - - - - - - - - text/plain - - - - - IsBundle - - - - - - - - - - - - - - - text/plain - - - - - InstallDate - - - - - - - - - - - - - - - text/plain - - - - - ResourceID - - - - - - - - - - - - - - - text/plain - - - - - PackageStatus - - - - - - - - - - - - - - - text/plain - - - - - RequiresReinstall - - - - - - - - - - - - - - - text/plain - - - - - Users - - - - - - - - - - - - - - - text/plain - - - - - IsProvisioned - - - - - - - - - - - - - - - text/plain - - - - - - DoNotUpdate - - - - - - - - - - - - - - - - - DoNotUpdate - - text/plain - - - - - AppSettingPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SettingValue - - text/plain - - - - + Name + + + + + + + + + + + + + + + text/plain + + - - - UpdateScan - + + Version + - + - + - + - + - text/plain + text/plain - - - - LastScanError - + + + + Publisher + - + - + - + - + - text/plain + text/plain - - - - AppInventoryResults - + + + + Architecture + - + - + - + - + - text/plain + text/plain - - - - AppInventoryQuery - + + + + InstallLocation + - - + - + - + - + - text/plain + text/plain - - - - RemovePackage - + + + + IsFramework + - + - + - + - + - text/plain + text/plain + + + + IsBundle + + + + + + + + + + + + + + + text/plain + + + + + InstallDate + + + + + + + + + + + + + + + text/plain + + + + + ResourceID + + + + + + + + + + + + + + + text/plain + + + + + PackageStatus + + + + + + + + + + + + + + + text/plain + + + + + RequiresReinstall + + + + + + + + + + + + + + + text/plain + + + + + Users + + + + + + + + + + + + + + + text/plain + + + + + IsProvisioned + + + + + + + + + + + + + + + text/plain + + + + + + DoNotUpdate + + + + + + + + + + + + + + + + + DoNotUpdate + + text/plain + + + + AppSettingPolicy + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SettingValue + + text/plain + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + + + + + + + + + + + + + MaintainProcessorArchitectureOnUpdate + + text/plain + + + + + + UpdateScan + + + + + + + + + + + + + + + text/plain + + + + + LastScanError + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryResults + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryQuery + + + + + + + + + + + + + + + + text/plain + + + + + RemovePackage + + + + + + + + + + + + + + + + text/plain + + + - AppInstallation + AppInstallation + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + PackageFamilyName + + + - - - - - - - - - - - - - - - - - - PackageFamilyName - - - - - - StoreInstall - - - - - - - - - - - - - - - - - - text/plain - - - - - HostedInstall - - - - - - - - - - - - - - - - - - text/plain - - - - - LastError - - - - - - - - - - - - - - - text/plain - - - - - LastErrorDesc - - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - ProgressStatus - - - - - - - - - - - - - - - text/plain - - - + StoreInstall + + + + + + + + + + + + + + + + + + text/plain + + + + HostedInstall + + + + + + + + + + + + + + + + + + text/plain + + + + + LastError + + + + + + + + + + + + + + + text/plain + + + + + LastErrorDesc + + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + ProgressStatus + + + + + + + + + + + + + + + text/plain + + + + - AppLicenses + AppLicenses + + + + + + + + + + + + + + + + + + + StoreLicenses - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - StoreLicenses + + + + + + + + + + + + + + + + + LicenseID + + + + + + LicenseCategory - - - - - - - - - - - - - - - + + + + + + + + + + + + + + text/plain + - - - - - - - - - - - - - - - - - - LicenseID - - - - - - LicenseCategory - - - - - - - - - - - - - - - text/plain - - - - - LicenseUsage - - - - - - - - - - - - - - - text/plain - - - - - RequesterID - - - - - - - - - - - - - - - text/plain - - - - - AddLicense - - - - - - - - - - - - - - - text/plain - - - - - GetLicenseFromStore - - - - - - - - - - - - - - - text/plain - - - - + + + LicenseUsage + + + + + + + + + + + + + + + text/plain + + + + + RequesterID + + + + + + + + + + + + + + + text/plain + + + + + AddLicense + + + + + + + + + + + + + + + text/plain + + + + + GetLicenseFromStore + + + + + + + + + + + + + + + text/plain + + + + - + ``` diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index ed10ebe33c..eb5f1186ce 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/15/2017 +ms.date: 03/02/2018 --- # eUICCs CSP @@ -61,6 +61,11 @@ Required. Current state of the profile (Installing = 1, Installed = 2, Deleting Supported operation is Get. Value type is integer. Default value is 1. +**_eUICC_/Profiles/_ICCID_/IsEnabled** +Added in Windows 10, version 1803. Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created to enable the profile once it’s successfully downloaded and installed on the device. Can also be queried and updated by the CSP. + +Supported operations are Add, Get, and Replace. Value type is bool. + **_eUICC_/Policies** Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile). diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index caa165bd48..06be1ba347 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/05/2017 +ms.date: 03/02/2018 --- # eUICCs DDF file @@ -17,6 +17,8 @@ This topic shows the OMA DM device description framework (DDF) for the **eUICCs* Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). +The XML below if for Windows 10, version 1803. + ``` syntax 1.2 eUICCs - ./Vendor/MSFT + ./Device/Vendor/MSFT @@ -45,7 +47,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - com.microsoft/1.0/MDM/eUICCs + com.microsoft/1.1/MDM/eUICCs @@ -229,6 +231,29 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic + + IsEnabled + + + + + + + Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP. + + + + + + + + + + + text/plain + + + diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png index b834990924..a28f41fe6a 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-euiccs.png b/windows/client-management/mdm/images/provisioning-csp-euiccs.png index a4c67a8b7e..387fdae3fb 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-euiccs.png and b/windows/client-management/mdm/images/provisioning-csp-euiccs.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 46bd55a93f..62bdf664f0 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 02/26/2018 +ms.date: 03/03/2018 --- # What's new in MDM enrollment and management @@ -1389,6 +1389,38 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### March 2018 + + ++++ + + + + + + + + + + + + + + +
New or updated topicDescription
[eUICCs CSP](euiccs-csp.md)

Added the following node in Windows 10, version 1803:

+
    +
  • IsEnabled
    • +
+
[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)

Added the following videos:

+
    +
  • [How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)
    • +
  • [How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)
    • +
+
+ ### February 2018 @@ -1440,6 +1472,13 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware + + +
[MultiSIM CSP](multisim-csp.md)

Added a new CSP in Windows 10, version 1803.

[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

Added the following node in Windows 10, version 1803:

+
    +
  • MaintainProcessorArchitectureOnUpdate
    • +
+
@@ -1575,6 +1614,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

+[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +

Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

+ + [DMClient CSP](dmclient-csp.md)

Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

+ +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchEveryWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2266,6 +2551,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchFirstWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2313,6 +2607,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallFourthWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2360,6 +2663,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallSecondWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2407,6 +2719,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallThirdWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2462,6 +2783,15 @@ Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2505,6 +2835,15 @@ The default value is 3. Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. + +ADMX Info: +- GP English name: *Turn off auto-restart notifications for update installations* +- GP name: *AutoRestartNotificationDisable* +- GP element: *AutoRestartNotificationSchd* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + The following list shows the supported values: @@ -2555,6 +2894,14 @@ The following list shows the supported values: Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. + +ADMX Info: +- GP English name: *Update Power Policy for Cart Restarts* +- GP name: *SetEDURestart* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + The following list shows the supported values: @@ -2610,6 +2957,15 @@ Allows the device to check for updates from a WSUS server instead of Microsoft U Supported operations are Get and Replace. + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUURL_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + The following list shows the supported values: @@ -2691,6 +3047,15 @@ Value type is string and the default value is an empty string, "". If the settin > This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUContentHost_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index b091456af0..6e52bc893b 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - UserRights @@ -152,6 +152,12 @@ ms.date: 01/30/2018 This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + +GP Info: +- GP English name: *Access Credential Manager ase a trusted caller* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -195,6 +201,12 @@ This user right is used by Credential Manager during Backup/Restore. No accounts This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. + +GP Info: +- GP English name: *Access this computer from the network* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -238,6 +250,12 @@ This user right determines which users and groups are allowed to connect to the This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. + +GP Info: +- GP English name: *Act as part of the operating system* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -281,6 +299,12 @@ This user right allows a process to impersonate any user without authentication. This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. + +GP Info: +- GP English name: *Allow log on locally* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -324,6 +348,12 @@ This user right determines which users can log on to the computer. Note: Modifyi This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users + +GP Info: +- GP English name: *Back up files and directories* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -367,6 +397,12 @@ This user right determines which users can bypass file, directory, registry, and This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. + +GP Info: +- GP English name: *Change the system time* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -410,6 +446,12 @@ This user right determines which users and groups can change the time and date o This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. + +GP Info: +- GP English name: *Create global objects* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -453,6 +495,12 @@ This security setting determines whether users can create global objects that ar This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users + +GP Info: +- GP English name: *Create a pagefile* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -496,6 +544,12 @@ This user right determines which users and groups can call an internal applicati This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. + +GP Info: +- GP English name: *Create permanent shared objects* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -539,6 +593,12 @@ This user right determines which accounts can be used by processes to create a d This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. + +GP Info: +- GP English name: *Create symbolic links* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -582,6 +642,12 @@ This user right determines if the user can create a symbolic link from the compu This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. + +GP Info: +- GP English name: *Create a token object* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -625,6 +691,12 @@ This user right determines which accounts can be used by processes to create a t This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. + +GP Info: +- GP English name: *Debug programs* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -668,6 +740,12 @@ This user right determines which users can attach a debugger to any process or t This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. + +GP Info: +- GP English name: *Deny access to this computer from the network* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -711,6 +789,12 @@ This user right determines which users are prevented from accessing a computer o This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. + +GP Info: +- GP English name: *Deny log on as a service* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -754,6 +838,12 @@ This security setting determines which service accounts are prevented from regis This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. + +GP Info: +- GP English name: *Deny log on through Remote Desktop Services* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -797,6 +887,12 @@ This user right determines which users and groups are prohibited from logging on This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. + +GP Info: +- GP English name: *Enable computer and user accounts to be trusted for delegation* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -840,6 +936,12 @@ This user right determines which users can set the Trusted for Delegation settin This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. + +GP Info: +- GP English name: *Generate security audits* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -887,6 +989,12 @@ Assigning this user right to a user allows programs running on behalf of that us Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. + +GP Info: +- GP English name: *Impersonate a client after authentication* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -930,6 +1038,12 @@ Because of these factors, users do not usually need this user right. Warning: If This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. + +GP Info: +- GP English name: *Increase scheduling priority* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -973,6 +1087,12 @@ This user right determines which accounts can use a process with Write Property This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. + +GP Info: +- GP English name: *Load and unload device drivers* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1016,6 +1136,12 @@ This user right determines which users can dynamically load and unload device dr This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). + +GP Info: +- GP English name: *Lock pages in memory* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1059,6 +1185,12 @@ This user right determines which accounts can use a process to keep data in phys This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. + +GP Info: +- GP English name: *Manage auditing and security log* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1102,6 +1234,12 @@ This user right determines which users can specify object access auditing option This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. + +GP Info: +- GP English name: *Perform volume maintenance tasks* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1145,6 +1283,12 @@ This user right determines which users and groups can run maintenance tasks on a This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. + +GP Info: +- GP English name: *Modify firmware environment values* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1188,6 +1332,12 @@ This user right determines who can modify firmware environment values. Firmware This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. + +GP Info: +- GP English name: *Modify an object label* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1231,6 +1381,12 @@ This user right determines which user accounts can modify the integrity label of This user right determines which users can use performance monitoring tools to monitor the performance of system processes. + +GP Info: +- GP English name: *Profile single process* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1274,6 +1430,12 @@ This user right determines which users can use performance monitoring tools to m This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. + +GP Info: +- GP English name: *Force shutdown from a remote system* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1317,6 +1479,12 @@ This user right determines which users are allowed to shut down a computer from This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. + +GP Info: +- GP English name: *Restore files and directories* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1360,6 +1528,12 @@ This user right determines which users can bypass file, directory, registry, and This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. + +GP Info: +- GP English name: *Take ownership of files or other objects* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 8fa7a54082..f4e3dbae88 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - Wifi @@ -97,6 +97,14 @@ Allow or disallow the device to automatically connect to Wi-Fi hotspots. Most restricted value is 0. + +ADMX Info: +- GP English name: *Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services* +- GP name: *WiFiSense* +- GP path: *Network/WLAN Service/WLAN Settings* +- GP ADMX file name: *wlansvc.admx* + + The following list shows the supported values: @@ -149,6 +157,14 @@ Allow or disallow internet sharing. Most restricted value is 0. + +ADMX Info: +- GP English name: *Prohibit use of Internet Connection Sharing on your DNS domain network* +- GP name: *NC_ShowSharedAccessUI* +- GP path: *Network/Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 56be2210b2..8329d11f77 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - WindowsDefenderSecurityCenter @@ -124,6 +124,15 @@ Added in Windows 10, version 1709. The company name that is displayed to the use Value type is string. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Specify contact company name* +- GP name: *EnterpriseCustomization_CompanyName* +- GP element: *Presentation_EnterpriseCustomization_CompanyName* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +
@@ -167,6 +176,14 @@ Value type is string. Supported operations are Add, Get, Replace and Delete. Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. + +ADMX Info: +- GP English name: *Hide the Account protection area* +- GP name: *AccountProtection_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Account protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -219,6 +236,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the App and browser protection area* +- GP name: *AppBrowserProtection_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/App and browser protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -269,6 +294,14 @@ The following list shows the supported values: Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. + +ADMX Info: +- GP English name: *Hide the Device security area* +- GP name: *DeviceSecurity_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -324,6 +357,14 @@ Added in Windows 10, version 1709. Use this policy if you want Windows Defender Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide non-critical notifications* +- GP name: *Notifications_DisableEnhancedNotifications* +- GP path: *Windows Components/Windows Defender Security Center/Notifications* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -376,6 +417,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the Family options area* +- GP name: *FamilyOptions_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Family options* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -428,6 +477,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the Device performance and health area* +- GP name: *DevicePerformanceHealth_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Device performance and health* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -480,6 +537,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the Firewall and network protection area* +- GP name: *FirewallNetworkProtection_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Firewall and network protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -532,6 +597,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide all notifications* +- GP name: *Notifications_DisableNotifications* +- GP path: *Windows Components/Windows Defender Security Center/Notifications* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -584,6 +657,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the Virus and threat protection area* +- GP name: *VirusThreatProtection_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -636,6 +717,14 @@ Added in Windows 10, version 1709. Prevent users from making changes to the expl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Prevent users from modifying settings* +- GP name: *AppBrowserProtection_DisallowExploitProtectionOverride* +- GP path: *Windows Components/Windows Defender Security Center/App and browser protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -688,6 +777,15 @@ Added in Windows 10, version 1709. The email address that is displayed to users. Value type is string. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Specify contact email address or Email ID* +- GP name: *EnterpriseCustomization_Email* +- GP element: *Presentation_EnterpriseCustomization_Email* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +
@@ -733,6 +831,14 @@ Added in Windows 10, version 1709. Enable this policy to display your company na Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +ADMX Info: +- GP English name: *Configure customized notifications* +- GP name: *EnterpriseCustomization_EnableCustomizedToasts* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -785,6 +891,14 @@ Added in Windows 10, version 1709. Enable this policy to have your company name Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +ADMX Info: +- GP English name: *Configure customized contact information* +- GP name: *EnterpriseCustomization_EnableInAppCustomization* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -835,6 +949,14 @@ The following list shows the supported values: Added in Windows 10, version 1803. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. + +ADMX Info: +- GP English name: *Hide the Ransomware data recovery area* +- GP name: *VirusThreatProtection_HideRansomwareRecovery* +- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -885,6 +1007,14 @@ Valid values: Added in Windows 10, version 1803. Use this policy to hide the Secure boot area in the Windows Defender Security Center. + +ADMX Info: +- GP English name: *Hide the Secure boot area* +- GP name: *DeviceSecurity_HideSecureBoot* +- GP path: *Windows Components/Windows Defender Security Center/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -935,6 +1065,14 @@ Valid values: Added in Windows 10, version 1803. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center. + +ADMX Info: +- GP English name: *Hide the Security processor (TPM) troubleshooter page* +- GP name: *DeviceSecurity_HideTPMTroubleshooting* +- GP path: *Windows Components/Windows Defender Security Center/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -987,6 +1125,15 @@ Added in Windows 10, version 1709. The phone number or Skype ID that is displaye Value type is string. Supported operations are Add, Get, Replace, and Delete. + +ADMX Info: +- GP English name: *Specify contact phone number or Skype ID* +- GP name: *EnterpriseCustomization_Phone* +- GP element: *Presentation_EnterpriseCustomization_Phone* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +
@@ -1032,6 +1179,15 @@ Added in Windows 10, version 1709. The help portal URL this is displayed to user Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete. + +ADMX Info: +- GP English name: *Specify contact website* +- GP name: *EnterpriseCustomization_URL* +- GP element: *Presentation_EnterpriseCustomization_URL* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 0b0a6104d4..3549c95e06 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - WindowsInkWorkspace @@ -69,6 +69,14 @@ ms.date: 01/30/2018 Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. + +ADMX Info: +- GP English name: *Allow suggested apps in Windows Ink Workspace* +- GP name: *AllowSuggestedAppsInWindowsInkWorkspace* +- GP path: *Windows Components/Windows Ink Workspace* +- GP ADMX file name: *WindowsInkWorkspace.admx* + + The following list shows the supported values: @@ -119,6 +127,15 @@ The following list shows the supported values: Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. + +ADMX Info: +- GP English name: *Allow Windows Ink Workspace* +- GP name: *AllowWindowsInkWorkspace* +- GP element: *AllowWindowsInkWorkspaceDropdown* +- GP path: *Windows Components/Windows Ink Workspace* +- GP ADMX file name: *WindowsInkWorkspace.admx* + + Value type is int. The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 513b783cee..cc10b25f2c 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - WindowsLogon @@ -83,14 +83,14 @@ If you disable or do not configure this policy setting, users can choose which a > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - + ADMX Info: - GP English name: *Turn off app notifications on the lock screen* - GP name: *DisableLockScreenAppNotifications* - GP path: *System/Logon* - GP ADMX file name: *logon.admx* - +
@@ -145,14 +145,14 @@ If you disable or don't configure this policy setting, any user can disconnect t > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - + ADMX Info: - GP English name: *Do not display network selection UI* - GP name: *DontDisplayNetworkSelectionUI* - GP path: *System/Logon* - GP ADMX file name: *logon.admx* - +
@@ -196,6 +196,14 @@ ADMX Info: Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. + +ADMX Info: +- GP English name: *Hide entry points for Fast User Switching* +- GP name: *HideFastUserSwitching* +- GP path: *System/Logon* +- GP ADMX file name: *Logon.admx* + + The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 5830a05aa4..9e122a3f3f 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - WirelessDisplay @@ -291,6 +291,14 @@ If you set it to 0 (zero), your PC is not discoverable and you cannot project to Value type is integer. + +ADMX Info: +- GP English name: *Don't allow this PC to be projected to* +- GP name: *AllowProjectionToPC* +- GP path: *Windows Components/Connect* +- GP ADMX file name: *WirelessDisplay.admx* + + The following list shows the supported values: @@ -422,6 +430,14 @@ If you turn this on, the pairing ceremony for new devices will always require a Value type is integer. + +ADMX Info: +- GP English name: *Require pin for pairing* +- GP name: *RequirePinForPairing* +- GP path: *Windows Components/Connect* +- GP ADMX file name: *WirelessDisplay.admx* + + The following list shows the supported values: diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index f88849e2b1..6e079fbf78 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/11/2017 +ms.date: 03/02/2018 --- # Understanding ADMX-backed policies @@ -47,6 +47,14 @@ An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policy Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies). +Here is a video of how to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune. + + + +Here is a video of how to import a custom ADMX file to a device using Intune. + + + ## ADMX files and the Group Policy Editor To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named “Publishing Server 2 Settings.” When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index d933b0bc8f..4c5d461287 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -73,7 +73,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate ![enter settings for first app](../images/wcd-app-commands.png) -### Add a universal app to your package +## Add a universal app to your package Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. @@ -108,7 +108,7 @@ Universal apps that you can distribute in the provisioning package can be line-o -### Add a certificate to your package +## Add a certificate to your package 1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. @@ -123,11 +123,11 @@ Universal apps that you can distribute in the provisioning package can be line-o 5. For **KeyLocation**, select **Software only**. -### Add other settings to your package +## Add other settings to your package For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). -### Build your package +## Build your package 1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index c2d63ceca8..df889e6bbf 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -224,6 +224,7 @@ ### [Manage device restarts after updates](update/waas-restart.md) ### [Manage additional Windows Update settings](update/waas-wu-settings.md) ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) +#### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md) #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) #### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md) ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md) diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md new file mode 100644 index 0000000000..08b8659f6e --- /dev/null +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -0,0 +1,70 @@ +--- +title: Introduction to the Windows Insider Program for Business +description: Introduction to the Windows Insider Program for Business and why IT Pros should join it +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jaimeo +ms.localizationpriority: high +ms.author: jaimeo +ms.date: 03/01/2018 +--- + +# Introduction to the Windows Insider Program for Business + + +**Applies to** + +- Windows 10 + +> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. + +The Windows Insider Program for Business gives you the opportunity to: + +* Get early access to Windows Insider Preview Builds. +* Provide feedback to Microsoft in real time by using the Feedback Hub app. +* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. +* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. +* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. +* Track feedback provided through the Feedback Hub App across your organization. + +Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. + +The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. + + +[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
+Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. + + +## Explore new Windows 10 features in Insider Previews +Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| +|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | +|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
- Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
- Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | +|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | + +## Validate Insider Preview builds +Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/en-us/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: + +- Get a head start on your Windows validation process +- Identify issues sooner to accelerate your Windows deployment +- Engage Microsoft earlier for help with potential compatibility issues +- Deploy Windows 10 Semi-Annual releases faster and more confidently +- Maximize the 18-month support Window that comes with each Semi-Annual release. + + + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| +|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| +|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | +|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | +|Guidance | Application and infrastructure validation:
- [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
- [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor)
- [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| + diff --git a/windows/deployment/update/images/WIP4Biz_Deployment.png b/windows/deployment/update/images/WIP4Biz_Deployment.png new file mode 100644 index 0000000000..bf267aa9eb Binary files /dev/null and b/windows/deployment/update/images/WIP4Biz_Deployment.png differ diff --git a/windows/deployment/update/images/WIP4Biz_Prompts.png b/windows/deployment/update/images/WIP4Biz_Prompts.png new file mode 100644 index 0000000000..37acadde3a Binary files /dev/null and b/windows/deployment/update/images/WIP4Biz_Prompts.png differ diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 7fc29c58f5..dea0940ed3 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -5,49 +5,50 @@ ms.author: nibr ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 10/10/2017 +author: jaimeo +ms.date: 03/02/2018 --- # Olympia Corp ## What is Windows Insider Lab for Enterprise and Olympia Corp? -Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features*. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. +Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. As an Olympia user, you will have an opportunity to: -- Use various Enterprise features like WIP (Windows Information Protection), ATP (Advanced Threat Protection), WDAG (Windows Defender Application Guard), and APP-V (Application virtualization). +- Use various Enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). - Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. - Validate and test pre-release software in your environment. - Provide feedback. - Interact with engineering team members through a variety of communication channels. -\* Enterprise features may have reduced, or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice. +>[!Note] +>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice. -For more information about Olympia Corp, please see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). +For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). -To request an Olympia Corp account, please fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). +To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). ## Enrollment guidelines -Welcome to Olympia Corp. Here are the steps needed to Enroll. +Welcome to Olympia Corp. Here are the steps needed to enroll. As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. Choose one of the following two enrollment options: -1. [Keep your current Windows 10 edition](#enrollment-keep-current-edition) +- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. -2. [Upgrade your Windows 10 edition from Pro to Enterprise](#enrollment-upgrade-to-enterprise) +- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. -### Set up an Azure Active Directory REGISTERED Windows 10 device +### Set up an Azure Active Directory-REGISTERED Windows 10 device -- This is the Bring Your Own Device (BYOD) method - your device will receive Olympia policies and features, but a new account will not be created ([additional info]).(https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) +This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). ![Settings -> Accounts](images/1-1.png) @@ -66,7 +67,7 @@ Choose one of the following two enrollment options: 5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. -6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details. +6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. 7. Create a PIN for signing into your Olympia corporate account. @@ -79,11 +80,11 @@ Choose one of the following two enrollment options: -### Set up Azure Active Directory JOINED Windows 10 device +### Set up Azure Active Directory-JOINED Windows 10 device -- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account ([additional info]).(https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup) +- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). ![Settings -> Accounts](images/1-1.png) @@ -106,15 +107,15 @@ Choose one of the following two enrollment options: 6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. -7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details. +7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. 8. Create a PIN for signing into your Olympia corporate account. 9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. -10. Restart your PC. +10. Restart your device. -11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*. +11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. 12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. @@ -123,5 +124,6 @@ Choose one of the following two enrollment options: 13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. -\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia. +>[!NOTE] +> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md index fe47323f40..52a170184a 100644 --- a/windows/deployment/update/waas-windows-insider-for-business.md +++ b/windows/deployment/update/waas-windows-insider-for-business.md @@ -4,10 +4,10 @@ description: Overview of the Windows Insider Program for Business ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: jaimeo ms.localizationpriority: high -ms.author: daniha -ms.date: 10/27/2017 +ms.author: jaimeo +ms.date: 02/27/2018 --- # Windows Insider Program for Business @@ -19,85 +19,76 @@ ms.date: 10/27/2017 > **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -For many IT Pros, gaining visibility into feature updates early, before they’re available to the Semi-Annual Channel, can be both intriguing and valuable for future end user communications as well as provide additional prestaging for Semi-Annual Channel devices. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test devices, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to the Semi-Annual Channel, organizations can test their deployment on test devices for compatibility validation. -The Windows Insider Program for Business gives you the opportunity to: -* Get early access to Windows Insider Preview Builds. -* Provide feedback to Microsoft in real-time via the Feedback Hub app. -* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. -* Register your Azure AD domain into the program, to cover all users within your organization with just one registration. -* Starting with Windows 10, version 1709, enable, disable, defer and pause the installation of preview builds through policies. -* Track feedback provided through the Feedback Hub App, across your organization. - -Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. - -The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. ## Getting started with Windows Insider Program for Business -To get started with the Windows Insider Program for Business, you can follow a few simple steps: +To get started with the Windows Insider Program for Business, follow these steps: -1. [Register your organizational Azure AD account](#individual-registration) to the Windows Insider Program for Business. +1. [Register your organization's Azure AD account](#individual-registration) to the Windows Insider Program for Business. 2. [Register your organization's Azure AD domain](#organizational-registration) to the Windows Insider Program for Business.
**Note:** Registering user has to be a Global Administrator in the Azure AD domain. 3. [Set policies](#manage-windows-insider-preview-builds) to enable Windows Insider Preview builds and select flight rings. >[!IMPORTANT] ->The **Allow Telemetry** setting has to be set to 2 or higher, to receive Windows Insider preview builds. +>To receive Windows Insider Preview builds, set the **Allow Telemetry** setting in Group Policy to 2 or higher. > ->The setting is available in **Group Policy**, through **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds - Allow Telemetry** or in **MDM**, through [**System/AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). +>In **Group Policy**, this setting is in **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds - Allow Telemetry**. In **MDM**, the setting is in [**System/AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). -Below are additional details to accomplish the steps described above. -## Register to the Windows Insider Program for Business +## Register in the Windows Insider Program for Business The first step to installing a Windows 10 Insider Preview build is to register as a Windows Insider. You and your users have two registration options. ### Register using your work account (recommended) -• Registering with your work account in Azure Active Directory (AAD) is required to submit feedback on behalf of your organization and manage Insider Preview builds on other PCs in your domain. +Registering with your work account in Azure Active Directory (AAD) is required to submit feedback on behalf of your organization and manage Insider Preview builds on other devices in your domain. >[!NOTE] ->Requires Windows 10 Version 1703 or later. Confirm by going to Settings>System>About. If you do not have an AAD account, [find out how to get an Azure Active Directory tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant). +>Requires Windows 10 Version 1703 or later. Confirm by going to Settings>System>About. If you do not have an AAD account, [find out how to get an Azure Active Directory tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant). ### Register your personal account Use the same account that you use for other Microsoft services. If you don’t have a Microsoft account, it is easy to get one. [Get a Microsoft account](https://account.microsoft.com/account). ## Install Windows Insider Preview Builds -You can install Windows 10 Insider Preview builds directly on individual PCs, manage installation across multiple PCs in an organization, or install on a virtual machine. +You can install Windows 10 Insider Preview builds directly on individual devices, manage installation across multiple devices in an organization, or install on a virtual machine. -### Install on an individual PC +### Install on an individual device -1. Open [Windows Insider Program settings](ms-settings:windowsinsider) (On your Windows 10 PC, go to Start > Settings > Update & security > Windows Insider Program). Note: To see this setting, you need to have administrator rights to your PC. -2. Link your Microsoft or work account that you used to register as a Windows Insider. -3. Follow the prompts. +1. Open [Windows Insider Program settings](ms-settings:windowsinsider) (On your Windows 10 device, go to Start > Settings > Update & security > Windows Insider Program). To see this setting, you must have administrator rights to your device. +2. Click **Get started** and follow the prompts to link your Microsoft or work account that you used to register as a Windows Insider. -(images/WIP4Biz_Prompts.png) -### Install across multiple PCs +[![Settings UI showing Windows Insider Program item selected in lower left](images/WIP4Biz_Prompts.png)](images/WIP4Biz_Prompts.png) -Administrators can install and manage Insider Preview builds centrally across multiple PCs within their domain. Here’s how: +### Install across multiple devices + +Administrators can install and manage Insider Preview builds centrally across multiple devices within their domain. To register a domain, you must be registered in the Windows Insider Program with your work account in Azure Active Directory and you must be assigned a **Global Administrator** role on that Azure AD domain. Also requires Windows 10 Version 1703 or later. + +To register a domain, follow these steps: 1. **Register your domain with the Windows Insider Program** -To register a domain, you must be registered in the Windows Insider Program with your work account in Azure Active Directory and you must be assigned a **Global Administrator** role on that Azure AD domain. Also requires Windows 10 Version 1703 or later. +Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally. -**Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.
**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. - ->[!Notes] ->• At this point, the Windows Insider Program for Business only supports [Azure Active Directory (Azure AD)](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis) (and not Active Directory on premises) as a corporate authentication method. ->• If your company has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business. ->• If you do not have an AAD account, install Insider Preview builds on individual PCs with a registered Microsoft account. 2. **Apply Policies** -Once you have registered your enterprise domain, you can control how and when devices receive Windows Insider Preview builds on their devices. See: [How to manage Windows 10 Insider Preview builds across your organization](https://docs.microsoft.com/en-us/windows/deployment/update/waas-windows-insider-for-business). +Once you have registered your enterprise domain, you can control how and when devices receive Windows Insider Preview builds on their devices. See: [How to manage Windows 10 Insider Preview builds across your organization](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). -### Install on a virtual machine. -This option enables you to run Insider Preview builds without changing the Windows 10 production build already running on a PC. -• For guidance on setting up virtual machines on your PC see: [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). -• To download the latest Insider Preview build to run on your virtual machine see: -[Windows Insider Preview downloads](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewadvanced) +>[!Note] +>- The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. +>- Currently, the Windows Insider Program for Business supports [Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/active-directory-whatis)--but not on-premises Active Directory--as a corporate authentication method. +>- If your company has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services--you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business. +>- If you do not have an AAD account, install Insider Preview builds on individual devices with a registered Microsoft account. + +### Install on a virtual machine +This option enables you to run Insider Preview builds without changing the Windows 10 production build already running on a device. + +For guidance on setting up virtual machines on your device, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). + +To download the latest Insider Preview build to run on your virtual machine, see +[Windows Insider Preview downloads](https://www.microsoft.com/software-download/windowsinsiderpreviewadvanced) ## Manage Windows Insider Preview builds -Starting with Windows 10, version 1709, administrators can control how and when devices receive Windows Insider Preview builds on their devices. +Starting with Windows 10, version 1709, administrators can control how and when devices receive Windows Insider Preview builds. The **Manage preview builds** setting gives enables or prevents preview build installation on a device. You can also decide to stop preview builds once the release is public. * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* @@ -114,60 +105,63 @@ The **Branch Readiness Level** settings allows you to choose between preview [fl * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* * MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) -![Select when Preview Builds and Feature Updates are received group policy](images/waas-wipfb-policy1.png) +![Group Policy dialog showing the "Select when Preview Builds and Feature updates are received" configuration panel](images/waas-wipfb-policy1.png) ### Individual enrollment If you want to manage Windows Insider preview builds prior to Windows 10, version 1709, or wish to enroll a single device, follow these steps: 1. Enroll your device by going to **Start > Settings > Update & security > Windows Insider Program** and selecting **Get Started**. Sign-in using the account you used to register for the Windows Insider Program. -2. After reading the privacy statement and clicking **Next**, **Confirm** and schedule a restart. -3. You are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Windows Insider level. The device receives the most recent Windows Insider build for the Windows Insider level you select. +2. Read the privacy statement and then click **Next**, **Confirm**, +3. Schedule a restart. You are now ready to install your first preview build. +4. To install the first preview, open **Start** > **Settings** > **Update & security** > **Windows Insider Program** and select your Windows Insider level. The device receives the most recent Windows Insider build for the Windows Insider level you select. >[!NOTE] ->To enroll your PC, you’ll require administration rights on the machine and it needs to be running Windows 10, Version 1703 or later. If you are already registered in the Windows Insider Program using your Microsoft account, you’ll need to [switch enrollment to the organizational account](#how-to-switch-between-your-msa-and-your-corporate-aad-account). +>To enroll your device, you’ll require administration rights on the device, which must be running Windows 10, Version 1703 or later. If you are already registered in the Windows Insider Program using your Microsoft account, you’ll need to [switch enrollment to the organizational account](#how-to-switch-between-your-msa-and-your-corporate-aad-account). >[!TIP] >Administrators have the option to use [Device Health](/windows/deployment/update/device-health-monitor) in Windows Analytics to monitor devices running Windows 10 Insider Preview builds. ## Flight rings -Flighting rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring. +Flight rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring. These are the available flight rings: ### Release Preview -Best for Insiders who enjoy getting early access to updates for the Semi-Annual Channel, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great. +Best for Insiders who prefer to get early access to updates for the Semi-Annual Channel, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great. -Insiders on this level receive builds of Windows just before Microsoft releases them to the Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs. +Insiders on this level receive builds of Windows just before Microsoft releases them to the Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider devices. -* The Release Preview Ring will only be visible when your Windows build version is the same as the Semi-Annual Channel. -* To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. +The Release Preview Ring will only be visible when your Windows build version is the same as the Semi-Annual Channel. + +To move from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for device) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. ### Slow -The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build. +The Slow Windows Insider level is for users who prefer to see new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build. * Builds are sent to the Slow Ring after feedback has been received from Windows Insiders within the Fast Ring and analyzed by our Engineering teams. * These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis. -* These builds still may have issues that would be addressed in a future flight. +* These builds still might have issues that would be addressed in a future flight. ### Fast -Best for Windows Insiders who enjoy being the first to get access to builds and feature updates, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great. +Best for Windows Insiders who prefer being the first to get access to builds and feature updates--with some risk to their devices--in order to identify issues, and provide suggestions and ideas to make Windows software and devices great. -* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds. -* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations. +* Windows Insiders with devices in the Fast Ring should be prepared for more issues that might block key activities that are important to you or might require significant workarounds. +* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features might work on some devices but might fail in other device configurations. * Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. -* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum. +* Remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum. >[!NOTE] ->Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete. +>Once your device is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your device will be auto-targeted for the next available flight for your selected ring. For the first build on any given device, this might take up to 24 hours to complete. ### How to switch between flight rings -During your time in the Windows Insider Program, you may want to change between flight rings for any number of reasons. Starting with Windows 10, version 1709, use the **Branch Readiness Level** to switch between flight rings. +During your time in the Windows Insider Program, you might want to change between flight rings for any number of reasons. Starting with Windows 10, version 1709, use the **Branch Readiness Level** to switch between flight rings. + * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* * MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) @@ -179,57 +173,6 @@ To switch flights prior to Windows 10, version 1709, follow these steps: * [Windows Insider Slow](#slow) * [Release Preview](#release-preview) -## Explore new Insider Preview features -Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: - -**Objective: Release Channel** -Feature Exploration: Fast Ring -Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration. - -**Objective: Users** -Feature Exploration: Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary machines. - -**Objective: Tasks** -Feature Exploration: -• Install and manage Insider Preview builds on PCs (per machine or centrally across multiple machines) -• Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications -• Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary current features. - -**Objective: Feedback** -Feature Exploration: -• Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible. -• Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.) -• [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) - -## Validate Insider Preview builds -Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/en-us/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: -• Get a head start on your Windows validation process -• Identify issues sooner to accelerate your Windows deployment -• Engage Microsoft earlier for help with potential compatibility issues -• Deploy Windows 10 Semi-Annual releases faster and more confidently -• Maximize the 18-month support Window that comes with each Semi-Annual release. - -(images/WIP4Biz_deployment.png) -Windows 10 Insider Preview builds enable organization to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. - -**Objective: Release Channel** -Application and infrastructure validation: SLOW RING -Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production machines by skilled users. - -**Objective: Recommended Users** -Application and infrastructure validation: In addition to Insiders who may have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample. - -**Objective: Recommended Tasks** -Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. - -**Objective: Feedback** -Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. - -**Objective: Guidance** -Application and infrastructure validation: -• [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps) -• [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor) -• [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) ## How to switch between your MSA and your Corporate AAD account @@ -243,11 +186,11 @@ If you were using your Microsoft Account (MSA) to enroll to the Windows Insider ## Sharing Feedback Via the Feedback Hub As you know a key benefit to being a Windows Insider is Feedback. It’s definitely a benefit to us, and we hope it’s a benefit to you. Feedback is vital for making changes and improvements in Windows 10. Receiving quality and actionable feedback is key in achieving these goals. -Please use the [**Feedback Hub App**](feedback-hub://?referrer=wipForBizDocs&tabid=2) to submit your feedback to Microsoft. +Use the [**Feedback Hub App**](feedback-hub://?referrer=wipForBizDocs&tabid=2) to submit your feedback to Microsoft. -When providing feedback, please consider the following: -1. Check for existing feedback on the topic you are preparing to log. Another user may have already shared the same feedback. If they have, please “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review. -2. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible. +When providing feedback, consider the following: +* Check for existing feedback on the topic you are preparing to log. Another user might have already shared the same feedback. If they have, “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review. +* Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible. >[!TIP] >You can then track feedback provided by all users in your organization through the Feedback Hub. Simply filter by **My Organization**. @@ -259,7 +202,7 @@ When providing feedback, please consider the following: ### User consent requirement -Feedback Hub needs the user’s consent to access their AAD account profile data (we read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this: +Feedback Hub needs the user’s consent to access their AAD account profile data (we read their name, organizational tenant ID, and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this: ![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png) @@ -282,7 +225,7 @@ To do this through the **classic Azure portal**: 2. Switch to the **Active Directory** dashboard. ![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png) 3. Select the appropriate directory and go to the **Configure** tab. -4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**. +4. Under the **integrated applications** section, enable **Users might give applications permissions to access their data**. ![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png) To do this through the **new Azure portal**: @@ -298,7 +241,7 @@ To do this through the **new Azure portal**: ## Not receiving Windows 10 Insider Preview build updates? -In some cases, your PC may not update to the latest Windows Insider Preview build as expected. Here are items that you can review to troubleshoot this issue: +In some cases, your device might not update to the latest Windows Insider Preview build as expected. Here are items that you can review to troubleshoot this issue: ### Perform a manual check for updates Go to **Settings > Updates & Security**. Review available updates or select **Check for updates**. @@ -310,33 +253,33 @@ Go to **Settings > Updates & Security**. Review available updates or select **Ch Go to **Settings > Updates & Security > Activation** to verify Windows is activated. ### Make sure your corporate account in AAD is connected to your device -Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account. +Open **Settings \ Accounts \ Access work or school**. If your device is not listed as connected to your account in AAD, click Connect and enter your AAD account. ### Make sure you have selected a flight ring Open **Settings > Update & Security > Windows Insider Program** and select your flight ring. ### Have you recently done a roll-back? -If so, please double-check your flight settings under **Settings > Update & Security > Windows Insider Program**. +If so, double-check your flight settings under **Settings > Update & Security > Windows Insider Program**. -### Did you do a clean install? -After a clean-install and initial setup of a Microsoft or corporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your PC. This background process is known as Compatibility Checker and will run during idle time on your PC. This process may take up to 24 hours. Please leave your PC turned on to ensure this occurs in timely manner. +### Did you do a clean installion? +After a clean installation and initial setup of a Microsoft or corporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your device. This background process is known as Compatibility Checker and will run during idle time on your device. This process might take up to 24 hours. To ensure that this occurs in a timely manner, leave your device turned on. ### Are there known issues for your current build? -On rare occasion, there may be an issue with a build that could lead to issues with updates being received. Please check the most recent Blog Post or reach out to the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcements and known issues. +On rare occasion, there might be an issue with a build that could lead to issues with updates being received. Check the most recent blog post or contact the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcements and known issues. ## Exiting flighting -After you’ve tried the latest Windows Insider Preview builds, you may want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device. +After you’ve tried the latest Windows Insider Preview builds, you might want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device. -To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. +To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for device) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. ## Unregister -If you no longer plan to manage Windows Insider Preview policies for your organization, you will need to [unregister your domain with the Windows Insider Program](https://insider.windows.com/en-us/insiderorgleaveprogram/). +If you no longer plan to manage Windows Insider Preview policies for your organization, you will need to [unregister your domain with the Windows Insider Program](https://insider.windows.com/insiderorgleaveprogram/). Unregistering will not allow any other administrators at your organization to continue to set policies to manage Windows Insider Preview builds across your organization. -Your individual registration with the Insider program will not be impacted. If you wish to leave the Insider program, see the [leave the program](https://insider.windows.com/en-us/how-to-overview/#leave-the-program) instructions. +Your individual registration with the Insider program will not be impacted. If you wish to leave the Insider program, see the [leave the program](https://insider.windows.com/how-to-overview/#leave-the-program) instructions. >[!IMPORTANT] >Once your domain is unregistered, setting the **Branch Readiness Level** to preview builds will have no effect. Return this setting to its unconfigured state in order to enable users to control it from their devices. @@ -347,14 +290,14 @@ Windows Insiders are a part of a global community focused on innovation, creativ The Windows Insider program enables you to deepen connections to learn from peers and to connect to subject matter experts (inside Microsoft, Insiders in your local community and in another country) who understand your unique challenges, and who can provide strategic advice on how to maximize your impact. -Collaborate and learn from experts in the [WINDOWS INSIDER TECH COMMUNITY](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) +Collaborate and learn from experts in the [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) ## Additional help resources -* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders may encounter while using the build. +* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders might encounter while using the build. * [**Microsoft Technical Community for Windows Insiders**](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) - Engage with Windows Insiders around the world in a community dedicated to the Windows Insider Program. -* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between PC, Office, Edge, and many others. +* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between device, Office, Edge, and many others. ## Learn More - [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index 96199b29be..ab4cd78ac7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure always-on real-time protection in Windows Defender AV -description: Enable and configure real-time protectoin features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV +description: Enable and configure real-time protection features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -100,4 +100,4 @@ The main real-time protection capability is enabled by default, but you can disa ## Related topics - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index a15378b6ad..a650f8fe1f 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/14/2017 +ms.date: 03/06/2018 --- # Windows Defender ATP data storage and privacy @@ -40,6 +40,15 @@ Microsoft uses this data to: Microsoft does not use your data for advertising or for any other purpose other than providing you the service. +## Data protection and encryption +The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. + + +There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Windows Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/en-us/azure/security/security-azure-encryption-overview). + +In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. + + ## Do I have the flexibility to select where to store my data? When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not under any circumstance, transfer the data from the specified geolocation into another geolocation. diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index ca586e93ad..a521be1763 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/09/2017 +ms.date: 03/06/2018 --- # Take response actions on a file @@ -48,7 +48,7 @@ The **Stop and Quarantine File** action includes stopping running processes, qua The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days. >[!NOTE] ->You’ll be able to remove the file from quarantine at any time. +>You’ll be able to restore the file from quarantine at any time. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: @@ -101,7 +101,7 @@ You can roll back and remove a file from quarantine if you’ve determined that ``` > [!NOTE] -> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days. +> Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days. ## Block files in your network You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.