diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 12e1c2171d..110429fbf6 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -16,6 +16,9 @@ localizationpriority: high - Windows 10, Windows Insider Program - Windows 10 Mobile, Windows Insider Program +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. diff --git a/education/windows/index.md b/education/windows/index.md index 9554614c4c..f8db1c0562 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -63,7 +63,12 @@ author: CelesteDG

[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.

+<<<<<<< HEAD +
+

+=======

+>>>>>>> e04a8c5905ed4bcb1df7b6b60d48146df9095a12
diff --git a/smb/TOC.md b/smb/TOC.md index 4c2433fafc..2b4214e907 100644 --- a/smb/TOC.md +++ b/smb/TOC.md @@ -1 +1,2 @@ -# [SMB](index.md) +# [Windows 10 for SMB](index.md) +## [Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md) diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md new file mode 100644 index 0000000000..e91ee664fb --- /dev/null +++ b/smb/cloud-mode-business-setup.md @@ -0,0 +1,580 @@ +--- +title: Deploy and manage a full cloud IT solution for your business +description: Learn how to set up a cloud infrastructure for your business, acquire devices and apps, and configure and deploy policies to your devices. +keywords: smb, full cloud IT solution, small to medium business, deploy, setup, manage, Windows, Intune, Office 365 +ms.prod: w10 +ms.technology: smb-windows +ms.topic: hero-article +ms.author: celested +ms.mktglfcycl: deploy +ms.sitesec: library +ms.lang: EN +ms.loc: US +ms.pagetype: smb +author: CelesteDG +--- + +![Are you ready to move to the cloud?](images/business-cloud-mode.png) + +# Get started: Deploy and manage a full cloud IT solution for your business +**Applies to:** + +- Office 365 Business Premium, Azure AD Premium, Intune, Windows Store for Business, Windows 10 + +In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Windows Store for Business, and Windows 10. We'll show you the basics on how to: +- Acquire an Office 365 business domain +- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant +- Set up Windows Store for Business and manage app deployment and sync with Intune +- Add users and groups in Azure AD and Intune +- Create policies and app deployment rules +- Log in as a user and start using your Windows device + +Go to the Microsoft Business site and select **Products** to learn more about pricing and purchasing options for your business. + +## Prerequisites +Here's a few things to keep in mind before you get started: +- You'll need a registered domain to successfully go through the walkthrough. + - If you already own a domain, you can add this during the Office 365 setup. + - If you don't already own a domain, you'll have the option to purchase a domain from the Office 365 admin center. We'll show how to do this as part of the walkthrough. +- You'll need an email address to create your Office 365 tenant. +- We recommend that you use Internet Explorer for the entire walkthrough. Right click on Internet Explorer and then choose **Start InPrivate Browsing**. + +## 1. Set up your cloud infrastructure +To set up a cloud infrastructure for your organization, follow the steps in this section. + +### 1.1 Set up Office 365 for business +See Set up Office 365 for business to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to: +- Plan your setup +- Create Office 365 accounts and how to add your domain. +- Install Office + +To set up your Office 365 business tenant, see Get Started with Office 365 for business. + +If this is the first time you're setting this up, and you'd like to see how it's done, you can follow these steps to get started: + +1. Go to the Office 365 page in the Microsoft Business site. Select **Try now** to use the Office 365 Business Premium Trial or select **Buy now** to sign up for Office 365 Business Premium. In this walkthrough, we'll select **Try now**. + + **Figure 1** - Try or buy Office 365 + + ![Office 365 for business sign up](images/office365_tryorbuy_now.png) + +2. Fill out the sign up form and provide information about you and your company. +3. Create a user ID and password to use to sign into your account. + + This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into https://portal.office.com (the admin portal). + +4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code. +5. Select **You're ready to go...** which will take you to the Office 365 portal. + + > [!NOTE] + > In the Office 365 portal, icons that are greyed out are still installing. + + **Figure 2** - Office 365 portal + + ![Office 365 portal](images/office365_portal.png) + + +6. Select the **Admin** tile to go to the Office 365 admin center. +7. In the admin center, click **Next** to see the highlights and welcome info for the admin center. When you're done, click **Go to setup** to complete the Office 365 setup. + + This may take up to a half hour to complete. + + **Figure 3** - Office 365 admin center + + ![Office 365 admin center](images/office365_admin_portal.png) + + +8. Go back to the Office 365 admin center to add or buy a domain. + 1. Select the **Domains** option. + + **Figure 4** - Option to add or buy a domain + + ![Add or buy a domain in Office 365 admin center](images/office365_buy_domain.png) + + + 2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*. + + **Figure 5** - Microsoft-provided domain + + ![Microsoft-provided domain](images/office365_ms_provided_domain.png) + + - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain. + - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order. + + Once you've added your domain, you'll see it listed in addition to the Microsoft-provided onmicrosoft.com domain. + + **Figure 6** - Domains + + ![Verify your domains in Office 365 admin center](images/office365_additional_domain.png) + +### 1.2 Add users and assign product licenses +Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Office 365 admin center. + +When adding users, you can also assign admin privileges to certain users in your team. You'll also want to assign **Product licenses** to each user so that subscriptions can be assigned to the person. + +**To add users and assign product licenses** + +1. In the Office 365 admin center, select **Users > Active users**. + + **Figure 7** - Add users + + ![Add Office 365 users](images/office365_users.png) + +2. In the **Home > Active users** page, add users individually or in bulk. + - To add users one at a time, select **+ Add a user**. + + If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the Office 365 admin center* in Add users individually or in bulk to Office 365 - Admin Help. + + **Figure 8** - Add an individual user + + ![Add an individual user](images/office365_add_individual_user.png) + + - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users. + + The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see Add several users at the same time to Office 365 - Admin Help. Once you've added all the users, don't forget to assign **Product licenses** to the new users. + + **Figure 9** - Import multiple users + + ![Import multiple users](images/office365_import_multiple_users.png) + +3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them. + + **Figure 10** - List of active users + + ![Verify users and assigned product licenses](images/o365_active_users.png) + +### 1.3 Add Microsoft Intune +Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see What is Intune? + +**To add Microsoft Intune to your tenant** + +1. In the Office 365 admin center, select **Billing > Purchase services**. +2. In the **Home > Purchase services** screen, search for **Microsoft Intune**. Hover over **Microsoft Intune** to see the options to start a free 30-day trial or to buy now. +3. Confirm your order to enable access to Microsoft Intune. +4. In the admin center, the Intune licenses will show as available and ready to be assigned to users. Select **Users > Active users** and then edit the product licenses assigned to the users to turn on **Intune A Direct**. + + **Figure 11** - Assign Intune licenses + + ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png) + +5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again. +6. Select **Intune**. This will take you to the Intune management portal. + + **Figure 12** - Microsoft Intune management portal + + ![Microsoft Intune management portal](images/intune_portal_home.png) + +Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Windows Store for Business for app distribution](#17-configure-windows-store-for-business-for-app-distribution). + +### 1.4 Add Azure AD to your domain +Microsoft Azure is an open and flexible cloud platform that enables you to quickly build, deploy, and manage apps across a global network of Microsoft-managed datacenters. In this walkthrough, we won't be using the full power of Azure and we'll primarily use it to create groups that we then use for provisioning through Intune. + +**To add Azure AD to your domain** + +1. In the Office 365 admin center, select **Admin centers > Azure AD**. + + > [!NOTE] + > You will need Azure AD Premium to configure automatic MDM enrollment with Intune. + +2. If you have not signed up for Azure AD before, you will see the following message. To proceed with the rest of the walkthrough, you need to activate an Azure subscription. + + **Figure 13** - Access to Azure AD is not available + + ![Access to Azure AD not available](images/azure_ad_access_not_available.png) + +3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365. +4. Click **Azure subscription**. This will take you to a free trial sign up screen. + + **Figure 14** - Sign up for Microsoft Azure + + ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png) + +5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**. +6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**. + + **Figure 15** - Start managing your Azure subscription + + ![Start managing your Azure subscription](images/azure_ad_successful_signup.png) + + This will take you to the Microsoft Azure portal. + +### 1.5 Add groups in Azure AD +This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see Managing access to resources with Azure Active Directory groups. + +To add Azure AD group(s), we will use the classic Azure portal (https://manage.windowsazure.com). See Managing groups in Azure Active Directory for more information about managing groups. + +**To add groups in Azure AD** + +1. If this is the first time you're setting up your directory, when you navigate to the **Azure Active Directory** node in the classic Azure portal, you will see a screen informing you that your directory is ready for use. + + Afterwards, you should see a list of active directories. In the following example, **Fabrikam Design** is the active directory. + + **Figure 16** - Azure first sign-in screen + + ![Select Azure AD](images/azure_portal_classic_configure_directory.png) + +2. Select the directory (such as Fabrikam Design) to go to the directory's home page. + + **Figure 17** - Directory home page + + ![Directory home page](images/azure_portal_classic_directory_ready.png) + +3. From the menu options on top, select **Groups**. + + **Figure 18** - Azure AD groups + + ![Add groups in Azure AD](images/azure_portal_classic_groups.png) + +4. Select **Add a group** (from the top) or **Add group** at the bottom. +5. In the **Add Group** window, add a name, group type, and description for the group and click the checkmark to save your changes. The new group will appear on the groups list. + + **Figure 19** - Newly added group in Azure AD + + ![Verify the new group appears on the list](images/azure_portal_classic_all_users_group.png) + +6. In the **Groups** tab, select the arrow next to the group (such as **All users**), add members to the group, and then save your changes. + + The members that were added to the group will appear on the list. + + **Figure 20** - Members in the new group + + ![Members added to the new group](images/azure_portal_classic_members_added.png) + +7. Repeat steps 2-6 to add other groups. You can add groups based on their roles in your company, based on the apps that each group can use, and so on. + +### 1.6 Configure automatic MDM enrollment with Intune +Now that you have Azure AD Premium and have it properly configured, you can configure automatic MDM enrollment with Intune, which allows users to enroll their Windows devices into Intune management, join their devices directly to Azure AD, and get access to Office 365 resources after sign in. + +You can read this blog post to learn how you can combine login, Azure AD Join, and Intune MDM enrollment into an easy step so that you can bring your devices into a managed state that complies with the policies for your organization. We will use this blog post as our guide for this part of the walkthrough. + +> [!IMPORTANT] +> We will use the classic Azure portal instead of the new portal to configure automatic MDM enrollment with Intune. + +**To enable automatic MDM enrollment** + +1. In to the classic Azure portal, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options. + + The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list. + + **Figure 21** - List of applications for your company + + ![List of applications for your company](images/azure_portal_classic_applications.png) + +2. Select **Microsoft Intune** to configure the application. +3. In the Microsoft Intune configuration page, click **Configure** to start automatic MDM enrollment configuration with Intune. + + **Figure 22** - Configure Microsoft Intune in Azure + + ![Configure Microsoft Intune in Azure](images/azure_portal_classic_configure_intune_app.png) + +4. In the Microsoft Intune configuration page: + - In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance. + + > [!NOTE] + > The URLs are automatically configured for your Azure AD tenant so you don't need to change them. + + - In the **Manage devices for these users** section, you can specify which users' devices should be managed by Intune. + - **All** will enable all users' Windows 10 devices to be managed by Intune. + - **Groups** let you select whether only users that belong to a specific group will have their devices managed by Intune. + + > [!NOTE] + > In this step, choose the group that contains all the users in your organization as members. This is the **All** group. + +5. After you've chosen how to manage devices for users, select **Save** to enable automatic MDM enrollment with Intune. + + **Figure 23** - Configure Microsoft Intune + + ![Configure automatic MDM enrollment with Intune](images/azure_portal_classic_configure_intune_mdm_enrollment.png) + +### 1.7 Configure Windows Store for Business for app distribution +Next, you'll need to configure Windows Store for Business to distribute apps with a management tool such as Intune. + +In this part of the walkthrough, we'll be working on the Microsoft Intune management portal and Windows Store for Business. + +**To associate your Store account with Intune and configure synchronization** + +1. From the Microsoft Intune management portal, select **Admin**. +2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first tiem you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**. + + **Figure 24** - Mobile device management + + ![Set up mobile device management in Intune](images/intune_admin_mdm_configure.png) + +3. Sign into Windows Store for Business using the same tenant account that you used to sign into Intune. +4. Accept the EULA. +5. In the Store portal, select **Settings > Management tools** to go to the management tools page. +6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Windows Store for Business. + + **Figure 25** - Activate Intune as the Store management tool + + ![Activate Intune from the Store portal](images/wsfb_management_tools_activate.png) + +7. Go back to the Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**. +8. In the **Windows Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune. + + **Figure 26** - Configure Store for Business sync in Intune + + ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png) + +9. In the **Configure Windows Store for Business app sync** dialog box, check **Enable Windows Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**. + + **Figure 27** - Enable Windows Store for Business sync in Intune + + ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png) + + The **Windows Store for Business** page will refresh and it will show the details from the sync. + +**To buy apps from the Store** + +In your Windows Store for Business portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory: +- Sway +- OneNote +- PowerPoint Mobile +- Excel Mobile +- Word Mobile + +In the Intune management portal, select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune. + +In the following example, we'll show you how to buy apps through the Windows Store for Business and then make sure the apps appear on Intune. + +**Example 1 - Add other apps like Reader and InstaNote** + +1. In the Windows Store for Business portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list. + + **Figure 28** - Shop for Store apps + + ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png) + +2. Click to select an app, such as **Reader**. This opens the app page. +3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page. +4. In the app's Store page, click **Add to private store**. +5. Next, search for another app by name (such as **InstaNote**) or repeat steps 1-4 for the **InstaNote** app. +6. Go to **Manage > Inventory** and verify that the apps you purchased appear in your inventory. + + **Figure 29** - App inventory shows the purchased apps + + ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png) + + > [!NOTE] + > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync). + +**To sync recently purchased apps** + +If you need to sync your most recently purchased apps and have it appear in your catalog, you can do this by forcing a sync. + +1. In the Intune management portal, select **Admin > Mobile Device Management > Windows > Store for Business**. +2. In the **Windows Store for Business** page, click **Sync now** to force a sync. + + **Figure 30** - Force a sync in Intune + + ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png) + +**To view purchased apps** +- In the Intune management portal, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly. + +**To add more apps** +- If you have other apps that you want to deploy or manage, you must add it to Microsoft Intune. To deploy Win32 apps and Web links, see Add apps for enrolled devices to Intune for more info on how to do this. + +## 2. Set up devices + +### 2.1 Set up new devices +To set up new Windows devices, go through the Windows initial device setup or first-run experience to configure your device. + +**To set up a device** +1. Go through the Windows device setup experience. On a new or reset device, this starts with the **Hi there** screen on devices running Windows 10, version 1607 (Anniversary Update). The setup lets you: + - Fill in the details in the **Hi there** screen including your home country/region, preferred language, keyboard layout, and timezone + - Accept the EULA + - Customize the setup or use Express settings + + **Figure 31** - First screen in Windows device setup + + ![First screen in Windows device setup](images/win10_hithere.png) + + > [!NOTE] + > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection. + +2. In the **Who owns this PC?** screen, select **My work or school owns it** and click **Next**. +3. In the **Choose how you'll connect** screen, select **Join Azure Active Directory** and click **Next**. + + **Figure 32** - Choose how you'll connect your Windows device + + ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png) + +4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts. + + **Figure 33** - Sign in using one of the accounts you added + + ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png) + +5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup. + + Windows will continue with setup and you may be asked to set up a PIN for Windows Hello if your organization has it enabled. + +### 2.2 Verify correct device setup +Verify that the device is set up correctly and boots without any issues. + +**To verify that the device was set up correctly** +1. Click on the **Start** menu and select some of the options to make sure everything launches properly. +2. Confirm that the Store and built-in apps are working. + +### 2.3 Verify the device is Azure AD joined +In the Intune management portal, verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune. + +**To verify if the device is joined to Azure AD** +1. Check the device name on your PC. To do this, on your Windows PC, select **Settings > System > About** and then check **PC name**. + + **Figure 34** - Check the PC name on your device + + ![Check the PC name on your device](images/win10_settings_pcname.png) + +2. Log in to the Intune management portal. +3. Select **Groups** and then go to **Devices**. +4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC. + - Check that the device name appears in the list. Select the device and it will also show the user that's currently logged in in the **General Information** section. + - Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**. + - Check the **AAD Registered** column and confirm that it says **Yes**. + + **Figure 35** - Check that the device appears in Intune + + ![Check that the device appears in Intune](images/intune_groups_devices_list.png) + +## 3. Manage device settings and features +You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). + +In this section, we'll show you how to reconfigure app deployment settings and add a new policy that will disable the camera for the Intune-managed devices and turn off Windows Hello and PINs during setup. + +### 3.1 Reconfigure app deployment settings +In some cases, if an app is missing from the device, you need to reconfigure the deployment settings for the app and set the app to require installation as soon as possible. + +**To reconfigure app deployment settings** +1. In the Intune management portal, select **Apps** and go to **Apps > Volume-Purchased Apps**. +2. Select the app, right-click, then select **Manage Deployment...**. +3. Select the group(s) whose apps will be managed, and then click **Add** to add the group. +4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app. +5. For each group that you selected, set **Approval** to **Required Install**. This automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**. + + **Figure 36** - Reconfigure an app's deployment setting in Intune + + ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png) + +6. Click **Finish**. +7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible. +6. Verify that the app shows up on the device. To do this: + - Make sure you're logged in to the Windows device. + - Click the **Start** button and check the apps that appear in the **Recently added** section. If you don't see the apps that you deployed in Intune, give it a few minutes. Only apps that aren't already deployed on the device will appear in the **Recently added** section. + + **Figure 37** - Confirm that additional apps were deployed to the device + + ![Confirm that additiional apps were deployed to the device](images/win10_deploy_apps_immediately.png) + +### 3.2 Configure other settings in Intune + +**To disable the camera** +1. In the Intune management portal, select **Policy > Configuration Policies**. +2. In the **Policies** window, click **Add** to create a new policy. +3. On the **Create a New Policy** page, click **Windows** to expand the group, select **General Configuration (Windows 10 Desktop and Mobile and later)**, choose **Create and Deploy a Custom Policy**, and then click **Create Policy**. +4. On the **Create Policy** page, select **Device Capabilities**. +5. In the **General** section, add a name and description for this policy. For example: + - **Name**: Test Policy - Disable Camera + - **Description**: Disables the camera +6. Scroll down to the **Hardware** section, find **Allow camera is not configured**, toggle the button so that it changes to **Allow camera** and choose **No** from the dropdown list. + + **Figure 38** - Add a configuration policy + + ![Add a configuration policy](images/intune_policy_disablecamera.png) + +7. Click **Save Policy**. A confirmation window will pop up. +8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now. +9. On the **Management Deployment** window, select the user group(s) or device group(s) that you want to apply the policy to (for example, **All Users**), and then click **Add**. +10. Click **OK** to close the window. + + **Figure 39** - The new policy should appear in the **Policies** list. + + ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png) + +**To turn off Windows Hello and PINs during device setup** +1. In the Intune management portal, select **Admin**. +2. Go to **Mobile Device Management > Windows > Windows Hello for Business**. +3. In the **Windows Hello for Business** page, select **Disable Windows Hello for Business on enrolled devices**. + + **Figure 40** - Policy to disable Windows Hello for Business + + ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png) + +4. Click **Save**. + + > [!NOTE] + > This policy is a tenant-wide Intune setting. It disables Windows Hello and required PINs during setup for all enrolled devices in a tenant. + +To test whether these policies get successfully deployed to your tenant, go through [4. Add more devices and users](#4-add-more-devices-and-users) and setup another Windows device and login as one of the users. + +## 4. Add more devices and users +After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more devices or users and you want the same policies to apply to these new devices and users. In this section, we'll show you how to do this. + +### 4.1 Connect other devices to your cloud infrastructure +Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [2. Set up devices](#2-set-up-devices). + +For other devices, such as those personally-owned by employees who need to connect to the corporate network to access corporate resources (BYOD), you can follow the steps in this section to get these devices connected. + + > [!NOTE] + > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device. + +**To connect a personal device to your work or school** +1. On your Windows device, go to **Settings > Accounts**. +2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page. +3. In the **Set up a work or school account** window, click **Join this device to Azure Active Directory** to add an Azure AD account to the device. + + **Figure 41** - Add an Azure AD account to the device + + ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png) + +4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user. + + **Figure 42** - Enter the account details + + ![Enter the account details](images/win10_add_new_user_account_aadwork.png) + +5. You will be asked to update the password so enter a new password. +6. Verify the details to make sure you're connecting to the right organization and then click **Join**. + + **Figure 43** - Make sure this is your organization + + ![Make sure this is your organization](images/win10_confirm_organization_details.png) + +7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**. + + **Figure 44** - Confirmation that the device is now connected + + ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png) + +8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources. + + **Figure 45** - Device is now enrolled in Azure AD + + ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png) + +9. You can confirm that the new device and user are showing up as Intune-managed by going to the Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later. + +### 4.2 Add a new user +You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Microsoft Intune. + +See [Add users to Office 365](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc?ui=en-US&rs=en-US&ad=US&fromAR=1) to learn more. Once you're done adding new users, go to the Intune management portal and verify that the same users were added to the Intune groups as well. + +## Get more info + +### For IT admins +To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links: +- Set up Office 365 for business +- Common admin tasks in Office 365 including email and OneDrive in Manage Office 365 +- More info about managing devices, apps, data, troubleshooting, and more in Intune documentation +- Learn more about Windows 10 in Windows 10 guide for IT pros +- Info about distributing apps to your employees, managing apps, managing settings, and more in Windows Store for Business + +### For information workers +Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info: +- Office help and training +- Windows 10 help + +## Related topics + +- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) diff --git a/smb/images/azure_ad_access_not_available.PNG b/smb/images/azure_ad_access_not_available.PNG new file mode 100644 index 0000000000..754ff011ea Binary files /dev/null and b/smb/images/azure_ad_access_not_available.PNG differ diff --git a/smb/images/azure_ad_sign_up_screen.PNG b/smb/images/azure_ad_sign_up_screen.PNG new file mode 100644 index 0000000000..3c369cfd5b Binary files /dev/null and b/smb/images/azure_ad_sign_up_screen.PNG differ diff --git a/smb/images/azure_ad_successful_signup.PNG b/smb/images/azure_ad_successful_signup.PNG new file mode 100644 index 0000000000..197744f309 Binary files /dev/null and b/smb/images/azure_ad_successful_signup.PNG differ diff --git a/smb/images/azure_portal_azure_ad_management.PNG b/smb/images/azure_portal_azure_ad_management.PNG new file mode 100644 index 0000000000..6401aa910b Binary files /dev/null and b/smb/images/azure_portal_azure_ad_management.PNG differ diff --git a/smb/images/azure_portal_azure_ad_management_users_groups.png b/smb/images/azure_portal_azure_ad_management_users_groups.png new file mode 100644 index 0000000000..5010765800 Binary files /dev/null and b/smb/images/azure_portal_azure_ad_management_users_groups.png differ diff --git a/smb/images/azure_portal_classic.PNG b/smb/images/azure_portal_classic.PNG new file mode 100644 index 0000000000..15132f7a07 Binary files /dev/null and b/smb/images/azure_portal_classic.PNG differ diff --git a/smb/images/azure_portal_classic_add_group.PNG b/smb/images/azure_portal_classic_add_group.PNG new file mode 100644 index 0000000000..417e9b8a72 Binary files /dev/null and b/smb/images/azure_portal_classic_add_group.PNG differ diff --git a/smb/images/azure_portal_classic_all_users_group.PNG b/smb/images/azure_portal_classic_all_users_group.PNG new file mode 100644 index 0000000000..55988d9c6c Binary files /dev/null and b/smb/images/azure_portal_classic_all_users_group.PNG differ diff --git a/smb/images/azure_portal_classic_applications.PNG b/smb/images/azure_portal_classic_applications.PNG new file mode 100644 index 0000000000..9c39a28e08 Binary files /dev/null and b/smb/images/azure_portal_classic_applications.PNG differ diff --git a/smb/images/azure_portal_classic_configure_directory.png b/smb/images/azure_portal_classic_configure_directory.png new file mode 100644 index 0000000000..1cece3e84c Binary files /dev/null and b/smb/images/azure_portal_classic_configure_directory.png differ diff --git a/smb/images/azure_portal_classic_configure_intune.PNG b/smb/images/azure_portal_classic_configure_intune.PNG new file mode 100644 index 0000000000..0daddd7e83 Binary files /dev/null and b/smb/images/azure_portal_classic_configure_intune.PNG differ diff --git a/smb/images/azure_portal_classic_configure_intune_app.png b/smb/images/azure_portal_classic_configure_intune_app.png new file mode 100644 index 0000000000..1110714b7c Binary files /dev/null and b/smb/images/azure_portal_classic_configure_intune_app.png differ diff --git a/smb/images/azure_portal_classic_configure_intune_mdm_enrollment.PNG b/smb/images/azure_portal_classic_configure_intune_mdm_enrollment.PNG new file mode 100644 index 0000000000..a85a28dd7d Binary files /dev/null and b/smb/images/azure_portal_classic_configure_intune_mdm_enrollment.PNG differ diff --git a/smb/images/azure_portal_classic_directory_ready.PNG b/smb/images/azure_portal_classic_directory_ready.PNG new file mode 100644 index 0000000000..d627036ca3 Binary files /dev/null and b/smb/images/azure_portal_classic_directory_ready.PNG differ diff --git a/smb/images/azure_portal_classic_groups.PNG b/smb/images/azure_portal_classic_groups.PNG new file mode 100644 index 0000000000..a746a0b21b Binary files /dev/null and b/smb/images/azure_portal_classic_groups.PNG differ diff --git a/smb/images/azure_portal_classic_members_added.PNG b/smb/images/azure_portal_classic_members_added.PNG new file mode 100644 index 0000000000..5cb5864330 Binary files /dev/null and b/smb/images/azure_portal_classic_members_added.PNG differ diff --git a/smb/images/azure_portal_home.PNG b/smb/images/azure_portal_home.PNG new file mode 100644 index 0000000000..5f0dcf4c5d Binary files /dev/null and b/smb/images/azure_portal_home.PNG differ diff --git a/smb/images/azure_portal_select_azure_ad.png b/smb/images/azure_portal_select_azure_ad.png new file mode 100644 index 0000000000..694d30cbdd Binary files /dev/null and b/smb/images/azure_portal_select_azure_ad.png differ diff --git a/smb/images/business-cloud-mode-graphic.png b/smb/images/business-cloud-mode-graphic.png new file mode 100644 index 0000000000..449b7ca356 Binary files /dev/null and b/smb/images/business-cloud-mode-graphic.png differ diff --git a/smb/images/business-cloud-mode.png b/smb/images/business-cloud-mode.png new file mode 100644 index 0000000000..f524b42372 Binary files /dev/null and b/smb/images/business-cloud-mode.png differ diff --git a/smb/images/deploy.png b/smb/images/deploy.png new file mode 100644 index 0000000000..8fe505f77e Binary files /dev/null and b/smb/images/deploy.png differ diff --git a/smb/images/deploy_art.png b/smb/images/deploy_art.png new file mode 100644 index 0000000000..5f2a6d0978 Binary files /dev/null and b/smb/images/deploy_art.png differ diff --git a/smb/images/intune_admin_mdm.PNG b/smb/images/intune_admin_mdm.PNG new file mode 100644 index 0000000000..3b334b27d5 Binary files /dev/null and b/smb/images/intune_admin_mdm.PNG differ diff --git a/smb/images/intune_admin_mdm_configure.png b/smb/images/intune_admin_mdm_configure.png new file mode 100644 index 0000000000..0a9cb4b99f Binary files /dev/null and b/smb/images/intune_admin_mdm_configure.png differ diff --git a/smb/images/intune_admin_mdm_forcesync.PNG b/smb/images/intune_admin_mdm_forcesync.PNG new file mode 100644 index 0000000000..96d085a261 Binary files /dev/null and b/smb/images/intune_admin_mdm_forcesync.PNG differ diff --git a/smb/images/intune_admin_mdm_store_sync.PNG b/smb/images/intune_admin_mdm_store_sync.PNG new file mode 100644 index 0000000000..3b884371b0 Binary files /dev/null and b/smb/images/intune_admin_mdm_store_sync.PNG differ diff --git a/smb/images/intune_apps_deploymentaction.PNG b/smb/images/intune_apps_deploymentaction.PNG new file mode 100644 index 0000000000..0c769017d2 Binary files /dev/null and b/smb/images/intune_apps_deploymentaction.PNG differ diff --git a/smb/images/intune_configure_store_app_sync_dialog.PNG b/smb/images/intune_configure_store_app_sync_dialog.PNG new file mode 100644 index 0000000000..abb41318f1 Binary files /dev/null and b/smb/images/intune_configure_store_app_sync_dialog.PNG differ diff --git a/smb/images/intune_groups_devices_list.PNG b/smb/images/intune_groups_devices_list.PNG new file mode 100644 index 0000000000..f571847bc7 Binary files /dev/null and b/smb/images/intune_groups_devices_list.PNG differ diff --git a/smb/images/intune_policies_newpolicy_deployed.PNG b/smb/images/intune_policies_newpolicy_deployed.PNG new file mode 100644 index 0000000000..72cb4d5db3 Binary files /dev/null and b/smb/images/intune_policies_newpolicy_deployed.PNG differ diff --git a/smb/images/intune_policy_disable_windowshello.PNG b/smb/images/intune_policy_disable_windowshello.PNG new file mode 100644 index 0000000000..2b7300c9ce Binary files /dev/null and b/smb/images/intune_policy_disable_windowshello.PNG differ diff --git a/smb/images/intune_policy_disablecamera.PNG b/smb/images/intune_policy_disablecamera.PNG new file mode 100644 index 0000000000..53fd969c00 Binary files /dev/null and b/smb/images/intune_policy_disablecamera.PNG differ diff --git a/smb/images/intune_portal_home.PNG b/smb/images/intune_portal_home.PNG new file mode 100644 index 0000000000..b63295fe42 Binary files /dev/null and b/smb/images/intune_portal_home.PNG differ diff --git a/smb/images/learn.png b/smb/images/learn.png new file mode 100644 index 0000000000..9e8f87f436 Binary files /dev/null and b/smb/images/learn.png differ diff --git a/smb/images/learn_art.png b/smb/images/learn_art.png new file mode 100644 index 0000000000..1170f9ca26 Binary files /dev/null and b/smb/images/learn_art.png differ diff --git a/smb/images/o365_active_users.PNG b/smb/images/o365_active_users.PNG new file mode 100644 index 0000000000..8ab381a59d Binary files /dev/null and b/smb/images/o365_active_users.PNG differ diff --git a/smb/images/o365_add_existing_domain.PNG b/smb/images/o365_add_existing_domain.PNG new file mode 100644 index 0000000000..e29cdca3f9 Binary files /dev/null and b/smb/images/o365_add_existing_domain.PNG differ diff --git a/smb/images/o365_additional_domain.PNG b/smb/images/o365_additional_domain.PNG new file mode 100644 index 0000000000..5682fb15f7 Binary files /dev/null and b/smb/images/o365_additional_domain.PNG differ diff --git a/smb/images/o365_admin_portal.PNG b/smb/images/o365_admin_portal.PNG new file mode 100644 index 0000000000..cfbf696310 Binary files /dev/null and b/smb/images/o365_admin_portal.PNG differ diff --git a/smb/images/o365_assign_intune_license.PNG b/smb/images/o365_assign_intune_license.PNG new file mode 100644 index 0000000000..261f096a98 Binary files /dev/null and b/smb/images/o365_assign_intune_license.PNG differ diff --git a/smb/images/o365_domains.PNG b/smb/images/o365_domains.PNG new file mode 100644 index 0000000000..ca79f71f54 Binary files /dev/null and b/smb/images/o365_domains.PNG differ diff --git a/smb/images/o365_microsoft_provided_domain.PNG b/smb/images/o365_microsoft_provided_domain.PNG new file mode 100644 index 0000000000..b2a05eb5a9 Binary files /dev/null and b/smb/images/o365_microsoft_provided_domain.PNG differ diff --git a/smb/images/o365_trynow.PNG b/smb/images/o365_trynow.PNG new file mode 100644 index 0000000000..5810f3e0f9 Binary files /dev/null and b/smb/images/o365_trynow.PNG differ diff --git a/smb/images/o365_users.PNG b/smb/images/o365_users.PNG new file mode 100644 index 0000000000..e0b462a8c5 Binary files /dev/null and b/smb/images/o365_users.PNG differ diff --git a/smb/images/office365_add_individual_user.PNG b/smb/images/office365_add_individual_user.PNG new file mode 100644 index 0000000000..87f674fa10 Binary files /dev/null and b/smb/images/office365_add_individual_user.PNG differ diff --git a/smb/images/office365_additional_domain.png b/smb/images/office365_additional_domain.png new file mode 100644 index 0000000000..940a090477 Binary files /dev/null and b/smb/images/office365_additional_domain.png differ diff --git a/smb/images/office365_admin_center.png b/smb/images/office365_admin_center.png new file mode 100644 index 0000000000..26808fc27c Binary files /dev/null and b/smb/images/office365_admin_center.png differ diff --git a/smb/images/office365_admin_portal.png b/smb/images/office365_admin_portal.png new file mode 100644 index 0000000000..fe0f81bda0 Binary files /dev/null and b/smb/images/office365_admin_portal.png differ diff --git a/smb/images/office365_buy_domain.png b/smb/images/office365_buy_domain.png new file mode 100644 index 0000000000..51ea9c1e6c Binary files /dev/null and b/smb/images/office365_buy_domain.png differ diff --git a/smb/images/office365_create_userid.png b/smb/images/office365_create_userid.png new file mode 100644 index 0000000000..fc3d070841 Binary files /dev/null and b/smb/images/office365_create_userid.png differ diff --git a/smb/images/office365_domains.png b/smb/images/office365_domains.png new file mode 100644 index 0000000000..51ea9c1e6c Binary files /dev/null and b/smb/images/office365_domains.png differ diff --git a/smb/images/office365_import_multiple_users.PNG b/smb/images/office365_import_multiple_users.PNG new file mode 100644 index 0000000000..c1b05fa2c9 Binary files /dev/null and b/smb/images/office365_import_multiple_users.PNG differ diff --git a/smb/images/office365_ms_provided_domain.png b/smb/images/office365_ms_provided_domain.png new file mode 100644 index 0000000000..18479da421 Binary files /dev/null and b/smb/images/office365_ms_provided_domain.png differ diff --git a/smb/images/office365_plan_subscription_checkout.png b/smb/images/office365_plan_subscription_checkout.png new file mode 100644 index 0000000000..340336c39e Binary files /dev/null and b/smb/images/office365_plan_subscription_checkout.png differ diff --git a/smb/images/office365_portal.png b/smb/images/office365_portal.png new file mode 100644 index 0000000000..f3a23d4a65 Binary files /dev/null and b/smb/images/office365_portal.png differ diff --git a/smb/images/office365_signup_page.png b/smb/images/office365_signup_page.png new file mode 100644 index 0000000000..ce2de7f034 Binary files /dev/null and b/smb/images/office365_signup_page.png differ diff --git a/smb/images/office365_trynow.png b/smb/images/office365_trynow.png new file mode 100644 index 0000000000..72aaeb923a Binary files /dev/null and b/smb/images/office365_trynow.png differ diff --git a/smb/images/office365_tryorbuy_now.png b/smb/images/office365_tryorbuy_now.png new file mode 100644 index 0000000000..760e3a74cc Binary files /dev/null and b/smb/images/office365_tryorbuy_now.png differ diff --git a/smb/images/office365_users.png b/smb/images/office365_users.png new file mode 100644 index 0000000000..ec9231de1b Binary files /dev/null and b/smb/images/office365_users.png differ diff --git a/smb/images/smb_portal_banner.png b/smb/images/smb_portal_banner.png new file mode 100644 index 0000000000..e38560ab5a Binary files /dev/null and b/smb/images/smb_portal_banner.png differ diff --git a/smb/images/win10_add_new_user_account_aadwork.PNG b/smb/images/win10_add_new_user_account_aadwork.PNG new file mode 100644 index 0000000000..378339b1e9 Binary files /dev/null and b/smb/images/win10_add_new_user_account_aadwork.PNG differ diff --git a/smb/images/win10_add_new_user_join_aad.PNG b/smb/images/win10_add_new_user_join_aad.PNG new file mode 100644 index 0000000000..7924250993 Binary files /dev/null and b/smb/images/win10_add_new_user_join_aad.PNG differ diff --git a/smb/images/win10_change_your_password.PNG b/smb/images/win10_change_your_password.PNG new file mode 100644 index 0000000000..bf9f164290 Binary files /dev/null and b/smb/images/win10_change_your_password.PNG differ diff --git a/smb/images/win10_choosehowtoconnect.PNG b/smb/images/win10_choosehowtoconnect.PNG new file mode 100644 index 0000000000..0a561b1913 Binary files /dev/null and b/smb/images/win10_choosehowtoconnect.PNG differ diff --git a/smb/images/win10_confirm_device_connected_to_org.PNG b/smb/images/win10_confirm_device_connected_to_org.PNG new file mode 100644 index 0000000000..a70849ebe8 Binary files /dev/null and b/smb/images/win10_confirm_device_connected_to_org.PNG differ diff --git a/smb/images/win10_confirm_organization_details.PNG b/smb/images/win10_confirm_organization_details.PNG new file mode 100644 index 0000000000..54605d39fe Binary files /dev/null and b/smb/images/win10_confirm_organization_details.PNG differ diff --git a/smb/images/win10_deivce_enrolled_in_aad.PNG b/smb/images/win10_deivce_enrolled_in_aad.PNG new file mode 100644 index 0000000000..a2c60c114e Binary files /dev/null and b/smb/images/win10_deivce_enrolled_in_aad.PNG differ diff --git a/smb/images/win10_deploy_apps_immediately.PNG b/smb/images/win10_deploy_apps_immediately.PNG new file mode 100644 index 0000000000..1e63f77939 Binary files /dev/null and b/smb/images/win10_deploy_apps_immediately.PNG differ diff --git a/smb/images/win10_device_enrolled_in_aad.png b/smb/images/win10_device_enrolled_in_aad.png new file mode 100644 index 0000000000..a2c60c114e Binary files /dev/null and b/smb/images/win10_device_enrolled_in_aad.png differ diff --git a/smb/images/win10_device_setup_complete.PNG b/smb/images/win10_device_setup_complete.PNG new file mode 100644 index 0000000000..454e30a441 Binary files /dev/null and b/smb/images/win10_device_setup_complete.PNG differ diff --git a/smb/images/win10_hithere.PNG b/smb/images/win10_hithere.PNG new file mode 100644 index 0000000000..b251b8eb7c Binary files /dev/null and b/smb/images/win10_hithere.PNG differ diff --git a/smb/images/win10_settings_pcname.PNG b/smb/images/win10_settings_pcname.PNG new file mode 100644 index 0000000000..ff815b0a8a Binary files /dev/null and b/smb/images/win10_settings_pcname.PNG differ diff --git a/smb/images/win10_signin_admin_account.PNG b/smb/images/win10_signin_admin_account.PNG new file mode 100644 index 0000000000..e6df613284 Binary files /dev/null and b/smb/images/win10_signin_admin_account.PNG differ diff --git a/smb/images/wsfb_account_details.PNG b/smb/images/wsfb_account_details.PNG new file mode 100644 index 0000000000..7a2594ec3f Binary files /dev/null and b/smb/images/wsfb_account_details.PNG differ diff --git a/smb/images/wsfb_account_details_2.PNG b/smb/images/wsfb_account_details_2.PNG new file mode 100644 index 0000000000..7e38f20099 Binary files /dev/null and b/smb/images/wsfb_account_details_2.PNG differ diff --git a/smb/images/wsfb_account_signup_saveinfo.PNG b/smb/images/wsfb_account_signup_saveinfo.PNG new file mode 100644 index 0000000000..f29280352b Binary files /dev/null and b/smb/images/wsfb_account_signup_saveinfo.PNG differ diff --git a/smb/images/wsfb_manage_inventory_newapps.PNG b/smb/images/wsfb_manage_inventory_newapps.PNG new file mode 100644 index 0000000000..070728fcad Binary files /dev/null and b/smb/images/wsfb_manage_inventory_newapps.PNG differ diff --git a/smb/images/wsfb_management_tools.PNG b/smb/images/wsfb_management_tools.PNG new file mode 100644 index 0000000000..82d11a9a25 Binary files /dev/null and b/smb/images/wsfb_management_tools.PNG differ diff --git a/smb/images/wsfb_management_tools_activate.png b/smb/images/wsfb_management_tools_activate.png new file mode 100644 index 0000000000..bb2ffd99ad Binary files /dev/null and b/smb/images/wsfb_management_tools_activate.png differ diff --git a/smb/images/wsfb_shop_microsoft_apps.PNG b/smb/images/wsfb_shop_microsoft_apps.PNG new file mode 100644 index 0000000000..562f3fd1e3 Binary files /dev/null and b/smb/images/wsfb_shop_microsoft_apps.PNG differ diff --git a/smb/images/wsfb_signup_for_account.PNG b/smb/images/wsfb_signup_for_account.PNG new file mode 100644 index 0000000000..d641587c5e Binary files /dev/null and b/smb/images/wsfb_signup_for_account.PNG differ diff --git a/smb/images/wsfb_store_portal.PNG b/smb/images/wsfb_store_portal.PNG new file mode 100644 index 0000000000..03a4ad928e Binary files /dev/null and b/smb/images/wsfb_store_portal.PNG differ diff --git a/smb/index.md b/smb/index.md index eaeb8132cd..66ce83c5e5 100644 --- a/smb/index.md +++ b/smb/index.md @@ -1,4 +1,47 @@ --- -title: SMB placeholder -description: SMB placeholder +title: Windows 10 for small to midsize businesses +description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business. +keywords: Windows 10, SMB, small business, midsize business, business +ms.prod: w10 +ms.technology: smb-windows +ms.topic: article +ms.author: celested +ms.mktglfcycl: deploy +ms.sitesec: library +ms.lang: EN +ms.loc: US +ms.pagetype: smb +author: CelesteDG --- + +![Windows 10 for SMB](images/smb_portal_banner.png) + +# Windows 10 for SMB + + +## ![Learn more about Windows and other resources for SMBs](images/learn.png) Learn + +
+
+

Windows 10 for business
Learn how Windows 10 and Windows devices can help your business.

+

SMB blog
Read about the latest stories, technology insights, and business strategies for SMBs.

+
+
+

How to buy
Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.

+
+
+ +## ![Deploy a Microsoft solution for your business](images/deploy.png) Deploy + +
+
+

[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)
Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.

+
+
+

+
+
+ + ## Related topics + +- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) \ No newline at end of file diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 6eeb973c7f..38e3354323 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -51,6 +51,7 @@ ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) ## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) +## [Convert MBR partition to GPT](mbr-to-gpt.md) ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index a71d13e154..d2629f839f 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -11,6 +11,11 @@ author: greg-lindsay # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## March 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [Convert MBR partition to GPT](mbr-to-gpt.md) | New | + ## February 2017 | New or changed topic | Description | |----------------------|-------------| diff --git a/windows/deploy/images/mbr2gpt-volume.PNG b/windows/deploy/images/mbr2gpt-volume.PNG new file mode 100644 index 0000000000..d69bed87fb Binary files /dev/null and b/windows/deploy/images/mbr2gpt-volume.PNG differ diff --git a/windows/deploy/images/mbr2gpt-workflow.png b/windows/deploy/images/mbr2gpt-workflow.png new file mode 100644 index 0000000000..f7741cf0c3 Binary files /dev/null and b/windows/deploy/images/mbr2gpt-workflow.png differ diff --git a/windows/deploy/index.md b/windows/deploy/index.md index 3b669c973b..6660898fad 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -24,6 +24,7 @@ Learn about deploying Windows 10 for IT professionals. |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. | |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. | |[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. | +|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | | [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Imaging and Configuration Designer (ICD) and provisioning packages to easily configure multiple devices. | diff --git a/windows/deploy/mbr-to-gpt.md b/windows/deploy/mbr-to-gpt.md new file mode 100644 index 0000000000..5775e4b633 --- /dev/null +++ b/windows/deploy/mbr-to-gpt.md @@ -0,0 +1,384 @@ +--- +title: MBR2GPT +description: How to use the MBR2GPT tool to convert MBR partitions to GPT +keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +localizationpriority: high +--- + +# MBR2GPT.EXE + +**Applies to** +- Windows 10 + +## Summary + +**MBR2GPT.EXE** converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +You can use MBR2GPT to perform the following: + +- \[Within the Windows PE environment\]: Convert any attached MBR-formatted disk to GPT, including the system disk. +- \[From within the currently running OS\]: Convert any attached MBR-formatted disk to GPT, including the system disk. + +>MBR2GPT is available in Windows 10 version 1703, also known as Windows 10 Creator's Update, and later versions. +>The tool is available in both the full OS environment and Windows PE. + +You can use MBR2GPT to convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. + +The MBR2GPT tool can convert operating system disks that have earlier versions of Windows installed, such as Windows 10 versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. + +>[!IMPORTANT] +>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
Make sure that your device supports UEFI before attempting to convert the disk. + +## Syntax + + +
MBR2GPT /validate|convert [/disk:\] [/logs:\] [/map:\=\] [/allowFullOS] +
+ +### Options + +| Option | Description | +|----|-------------| +|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | +|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | +|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| +|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | +|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.| + +## Examples + +### Validation example + +In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. + +``` +X:\>mbr2gpt /validate /disk:0 +MBR2GPT: Attempting to validate disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 +MBR2GPT: Validation completed successfully +``` + +### Conversion example + +In the following example: + +1. The current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. +2. The MBR2GPT tool is used to convert disk 0. +3. The DISKPART tool displays that disk 0 is now using the GPT format. +4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). +5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. + +``` +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 C System Rese NTFS Partition 499 MB Healthy + Volume 2 D Windows NTFS Partition 58 GB Healthy + Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 2 + +Volume 2 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Primary 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : 07 +Hidden: No +Active: No +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 2 D Windows NTFS Partition 58 GB Healthy + +DISKPART> exit + +Leaving DiskPart... + +X:\>mbr2gpt /convert /disk:0 + +MBR2GPT will now attempt to convert disk 0. +If conversion is successful the disk can only be booted in GPT mode. +These changes cannot be undone! + +MBR2GPT: Attempting to convert disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 bytes +MBR2GPT: Trying to shrink the system partition +MBR2GPT: Trying to shrink the OS partition +MBR2GPT: Creating the EFI system partition +MBR2GPT: Installing the new boot files +MBR2GPT: Performing the layout conversion +MBR2GPT: Migrating default boot entry +MBR2GPT: Adding recovery boot entry +MBR2GPT: Fixing drive letter mapping +MBR2GPT: Conversion completed successfully +MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! + +X:\>diskpart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 60 GB 0 B * + +DISKPART> select disk 0 + +Disk 0 is now the selected disk. + +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 D Windows NTFS Partition 58 GB Healthy + Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden + Volume 3 FAT32 Partition 100 MB Healthy Hidden + Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 1 + +Volume 1 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Recovery 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 4 System 100 MB 59 GB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 +Hidden : No +Required: No +Attrib : 0000000000000000 +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 1 D Windows NTFS Partition 58 GB Healthy + +``` + +## Specifications + +### Disk conversion workflow + +The following steps illustrate high-level phases of the MBR-to-GPT conversion process: + +1. Disk validation is performed. +2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist. +3. UEFI boot files are installed to the ESP. +4. GPT metatdata and layout information is applied. +5. The boot configuration data (BCD) store is updated. +6. Drive letter assignments are restored. + +### Disk validation + +Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: +- The disk is currently using MBR +- There is enough space not occupied by partitions to store the primary and secondary GPTs: + - 16KB + 2 sectors at the front of the disk + - 16KB + 1 sector at the end of the disk +- There are at most 3 primary partitions in the MBR partition table +- One of the partitions is set as active and is the system partition +- The BCD store on the system partition contains a default OS entry pointing to an OS partition +- The volume IDs can retrieved for each volume which has a drive letter assigned +- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option + +If any of these checks fails, the conversion will not proceed and an error will be returned. + +### Creating an EFI system partition + +For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: + +1. The existing MBR system partition is reused if it meets these requirements: + a. It is not also the OS or Windows Recovery Environment partition + b. It is at least 100MB (or 260MB for 4K sector size disks) in size + c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition. + d. If the conversion is being performed from the full OS, the disk being converted is not the system disk. +2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32. + +If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified. + +### Partition type mapping and partition attributes + +Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: + +1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b). +2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used. +3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac). +4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). + +In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: +- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) +- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) + +For more information about partition types, see: +- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) +- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) + + +### Persisting drive letter assignments + +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. + +The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: + +1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. +2. If found, set the value to be the new unique ID, obtained after the layout conversion. +3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. + +## Troubleshooting + +The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). + +### Logs + +Four log files are created by the MBR2GPT tool: + +- diagerr.xml +- diagwrn.xml +- setupact.log +- setuperr.log + +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. + +The default location for all these log files in Windows PE is **%windir%**. + +### Interactive help + +To view a list of options available when using the tool, type **mbr2gpt /?** + +The following text is displayed: + +``` + +C:\> mbr2gpt /? + +Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. + +MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS] + +Where: + + /validate + - Validates that the selected disk can be converted + without performing the actual conversion. + + /convert + - Validates that the selected disk can be converted + and performs the actual conversion. + + /disk: + - Specifies the disk number of the disk to be processed. + If not specified, the system disk is processed. + + /logs: + - Specifies the directory for logging. By default logs + are created in the %windir% directory. + + /map:= + - Specifies the GPT partition type to be used for a + given MBR partition type not recognized by Windows. + Multiple /map switches are allowed. + + /allowFullOS + - Allows the tool to be used from the full Windows + environment. By default, this tool can only be used + from the Windows Preinstallation Environment. + +``` + +### Return codes + +MBR2GPT has the following associated return codes: + +| Return code | Description | +|----|-------------| +|0| Conversion completed successfully.| +|1| Conversion was canceled by the user.| +|2| Conversion failed due to an internal error.| +|3| Conversion failed due to an initialization error.| +|4| Conversion failed due to invalid command-line parameters. | +|5| Conversion failed due to error reading the geometry and layout of the selected disk.| +|6| Conversion failed because one or more volumes on the disk is encrypted.| +|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.| +|8| Conversion failed due to error while creating the EFI system partition.| +|9| Conversion failed due to error installing boot files.| +|10| Conversion failed due to error while applying GPT layout.| +|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.| + + +### Determining the partition type + +You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown: + + +``` +PS C:\> Get-Disk | ft -Auto + +Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style +------ ------------- ------------- ------------ ----------------- ---------- --------------- +0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR +1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT +``` + +You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: + +![Volumes](images/mbr2gpt-volume.PNG) + + +If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the diskpart tool. To determine the partition style, type **diskpart** and then type **list disk**. See the following example: + +``` +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 238 GB 0 B + Disk 1 Online 931 GB 0 B * +``` + +In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. + + + + +## Related topics + +[Using MBR2GPT with Configuration Manager OSD](https://miketerrill.net/tag/mbr2gpt/) +
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1 new file mode 100644 index 0000000000..877292e484 --- /dev/null +++ b/windows/keep-secure/code/example.ps1 @@ -0,0 +1,52 @@ +$tenantId = '{Your Tenant ID}' +$clientId = '{Your Client ID}' +$clientSecret = '{Your Client Secret}' + +$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId + +$tokenPayload = @{ + "resource"='https://graph.windows.net' + "client_id" = $clientId + "client_secret" = $clientSecret + "grant_type"='client_credentials'} + +$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload +$token = $response.access_token + +$headers = @{ + "Content-Type"="application/json" + "Accept"="application/json" + "Authorization"="Bearer {0}" -f $token } + +$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" + +$alertDefinitions = + (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value + +$alertDefinitionPayload = @{ + "Name"= "The Alert's Name" + "Severity"= "Low" + "InternalDescription"= "An internal description of the Alert" + "Title"= "The Title" + "UxDescription"= "Description of the alerts" + "RecommendedAction"= "The alert's recommended action" + "Category"= "Trojan" + "Enabled"= "true"} + +$alertDefinition = + Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) + +$alertDefinitionId = $alertDefinition.Id + +$iocPayload = @{ + "Type"="Sha1" + "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff" + "DetectionFunction"="Equals" + "Enabled"="true" + "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } + + +$ioc = + Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) diff --git a/windows/keep-secure/code/example.py b/windows/keep-secure/code/example.py new file mode 100644 index 0000000000..7bf906738c --- /dev/null +++ b/windows/keep-secure/code/example.py @@ -0,0 +1,53 @@ +import json +import requests +from pprint import pprint + +tenant_id="{your tenant ID}" +client_id="{your client ID}" +client_secret="{your client secret}" + +auth_url = "https://login.windows.net/{0}/oauth2/token".format(tenant_id) + +payload = {"resource": "https://graph.windows.net", + "client_id": client_id, + "client_secret": client_secret, + "grant_type": "client_credentials"} + +response = requests.post(auth_url, payload) +token = json.loads(response.text)["access_token"] + +with requests.Session() as session: + session.headers = { + 'Authorization': 'Bearer {}'.format(token), + 'Content-Type': 'application/json', + 'Accept': 'application/json'} + + response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions") + pprint(json.loads(response.text)) + + alert_definition = {"Name": "The alert's name", + "Severity": "Low", + "InternalDescription": "An internal description of the alert", + "Title": "The Title", + "UxDescription": "Description of the alerts", + "RecommendedAction": "The alert's recommended action", + "Category": "Trojan", + "Enabled": True} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions", + json=alert_definition) + + alert_definition_id = json.loads(response.text)["Id"] + + ioc = {'Type': "Sha1", + 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff", + 'DetectionFunction': "Equals", + 'Enabled': True, + "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise", + json=ioc) + + pprint(json.loads(response.text)) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 8c70f3782d..7d3b48530d 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -40,12 +40,10 @@ Here's a high-level overview on how the LSA is isolated by using virtualization- ## Requirements -For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations). +For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations). ### Hardware and software requirements -To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. - To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: - Support for Virtualization-based security (required) - TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) @@ -82,14 +80,15 @@ Applications may cause performance issues when they attempt to hook the isolated ### Security considerations -The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. +All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. +Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. +The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. This requirement is not restated in the tables that follow.
-> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
-> Starting in Widows 10, 1607, TPM 2.0 is required. +> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
+> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
-#### Baseline protection recommendations +#### Baseline protections |Baseline Protections | Description | |---------------------------------------------|----------------------------------------------------| @@ -101,9 +100,9 @@ The following tables provide more information about the hardware, firmware, and | Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] -> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide. +> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide. -#### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) +#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| @@ -113,10 +112,10 @@ The following tables provide more information about the hardware, firmware, and
-#### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016) +#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 > [!IMPORTANT] -> The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. +> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| @@ -126,9 +125,9 @@ The following tables provide more information about the hardware, firmware, and
-#### 2017 Additional security requirements starting with Windows 10, version 1703 +#### 2017 Additional security qualifications starting with Windows 10, version 1703 -The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. +The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md index 7c5f60b159..eecae9a27a 100644 --- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -347,11 +347,13 @@ These parameters are compatible with the [OData V4 query language](http://docs.o ## Code examples The following articles provide detailed code examples that demonstrate how to use the custom threat intelligence API in several programming languages: -- PowerShell code examples -- Python code examples +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) ## Related topics -- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md index 38074271e9..e62a85a083 100644 --- a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -40,6 +40,8 @@ Before you can create custom threat intelligence (TI) using REST API, you'll nee You’ll need to use the access token in the Authorization header when doing REST API calls. ## Related topics -- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 897187ce25..749d25c114 100644 --- a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -50,10 +50,10 @@ This status indicates that there's limited communication between the machine and The following suggested actions can help fix issues related to a misconfigured machine with impaired communication: -- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection) +- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. -- Verify client connectivity to Windows Defender ATP service URLs
+- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). @@ -62,16 +62,16 @@ If you took corrective actions and the machine status is still misconfigured, [o A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status ‘Impaired communication’: -- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection) +- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. -- Verify client connectivity to Windows Defender ATP service URLs
+- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. -- [Ensure the telemetry and diagnostics service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled) +- [Ensure the telemetry and diagnostics service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled)
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. -- [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy) +- [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy)
If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md index 7e5139aeaf..c13f490b56 100644 --- a/windows/keep-secure/hello-identity-verification.md +++ b/windows/keep-secure/hello-identity-verification.md @@ -72,7 +72,7 @@ Imagine that someone is looking over your shoulder as you get money from an ATM Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs. -For customers using a hybrid Active Directory and Azure Active Directorye environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. +For customers using a hybrid Active Directory and Azure Active Directory environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. > [!NOTE] >  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index 69a0b102c6..640b0a524c 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -40,7 +40,7 @@ When you investigate a specific machine, you'll see: ![Image of machine details page](images/atp-machine-details-view.png) -The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health status, actions you can take on the machine. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md). +The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health state, actions you can take on the machine. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md). You'll also see other information such as domain, operating system (OS), total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service. diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md index b06391c16d..5574319409 100644 --- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -26,88 +26,54 @@ localizationpriority: high This article provides PowerShell code examples for using the custom threat intelligence API. These code examples demonstrate the following tasks: -- [Obtain an Azure AD access token](#obtain-an-azure-ad-access-token) -- [Create headers](#create-headers) -- [Create calls to the custom threat intelligence API](#create-calls-to-the-custom-threat-intelligence-api) -- [Create a new alert definition](#create-a-new-alert-definition) -- [Create a new indicator of compromise](#create-a-new-indicator-of-compromise) +- [Obtain an Azure AD access token](#token) +- [Create headers](#headers) +- [Create calls to the custom threat intelligence API](#calls) +- [Create a new alert definition](#alert-definition) +- [Create a new indicator of compromise](#ioc) -## Obtain an Azure AD access token + +## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. -Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: +Replace the *tenantid*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal: -``` +[!code[CustomTIAPI](./code/example.ps1#L1-L14)] -$tenantId = '{Your Tenant ID} -$clientId = '{Your Client ID}' -$clientSecret = '{Your Client Secret}' + +## Step 2: Create headers used for the requests with the API +Use the following code to create the headers used for the requests with the API: -$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId +[!code[CustomTIAPI](./code/example.ps1#L16-L19)] -$tokenPayload = @{ - "resource"='https://graph.windows.net' - "client_id" = $clientId - "client_secret" = $clientSecret - "grant_type"='client_credentials'} + +## Step 3: Create calls to the custom threat intelligence API +After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: -$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload -$token = $response.access_token +[!code[CustomTIAPI](./code/example.ps1#L21-L24)] -``` +The response is empty on initial use of the API. -## Create headers -The following example demonstrates how to create headers used for the requests with the API. + +## Step 4: Create a new alert definition +The following example demonstrates how you to create a new alert definition. -``` -$headers = @{} -$headers.Add("Content-Type", "application/json") -$headers.Add("Accept", "application/json") -$headers.Add("Authorization", "Bearer {0}" -f $token) +[!code[CustomTIAPI](./code/example.ps1#L26-L39)] -``` + +## Step 5: Create a new indicator of compromise +You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. -## Create calls to the custom threat intelligence API -The following example demonstrates how to view all alert definition entities by creating a call to the API. +[!code[CustomTIAPI](./code/example.ps1#L43-L53)] -``` -$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" -$alertDefinitions = - (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value -``` +## Complete code +You can use the complete code to create calls to the API. -If this is the first time to use the API, the response is empty. +[!code[CustomTIAPI](./code/example.ps1#L1-L53)] -## Create a new alert definition -The following example shows how to create a new alert definition. - -``` -$alertDefinitionPayload = @{ - "Name"= "The Alert's Name" - "Severity"= "Low" - "InternalDescription"= "An internal description of the Alert" - "Title"= "The Title" - "UxDescription"= "Description of the alerts" - "RecommendedAction"= "The alert's recommended action" - "Category"= "Trojan" - "Enabled"= "true"} - - -$alertDefinition = - Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) -``` - -## Create a new indicator of compromise -The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. - -``` -$iocPayload = @{ - "Type"="Sha1" - "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff" - "DetectionFunction"="Equals" - "Enabled"="true" - "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } - - -$ioc = Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) -``` +## Related topics +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md index a85f157968..e4a19d51d6 100644 --- a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md @@ -34,18 +34,18 @@ For more information, see [Turn on the preview experience](preview-settings-wind ## Preview features The following features are included in the preview release: -- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Take action on machine related alerts to quickly respond to detected attacks by isolating machines or collecting an investigation package. +- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) - [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) - [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) -- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) - Take action on file related alerts to quickly respond to detected attacks by stopping and quarantining files or blocking a file. +- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. - [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) - [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) - [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) -- [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix sensor issues if you identify problematic machines. +- [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. - [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) >[!NOTE] -> All response features require machines to be on the latest Windows 10 Insider Preview build and above. +> All response actions require machines to be on the latest Windows 10 Insider Preview build. diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md index 4b482cc066..36b0a25f3b 100644 --- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md @@ -27,95 +27,55 @@ localizationpriority: high You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library. These code examples demonstrate the following tasks: -- [Obtain an Azure AD access token](#obtain-an-azure-ad-access-token) -- [Create request session object](#create-a-request's-session-object) -- [Create calls to the custom threat intelligence API](#create-calls-to-the-custom-threat-intelligence-api) -- [Create a new alert definition](#create-a-new-alert-definition) -- [Create a new indicator of compromise](#create-a-new-indicator-of-compromise) +- [Obtain an Azure AD access token](#token) +- [Create request session object](#session-object) +- [Create calls to the custom threat intelligence API](#calls) +- [Create a new alert definition](#alert-definition) +- [Create a new indicator of compromise](#ioc) -## Obtain an Azure AD access token + +## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: -``` - -import json -import requests -from pprint import pprint - -tenant_id="{your tenant ID}" -client_id="{your client ID" -client_secret="{your client secret}" - -full_auth_url = r"https://login.windows.net/{0}/oauth2/token".format(tenant_id) - -payload = {"resource": "https://graph.windows.net", - "client_id": client_id, - "client_secret": client_secret, - "grant_type": "client_credentials"} +[!code[CustomTIAPI](./code/example.py#L1-L17)] -response = requests.post(full_auth_url, payload) -token = json.loads(response.text)["access_token"] -``` - -## Create request session object + +## Step 2: Create request session object Add HTTP headers to the session object, including the Authorization header with the token that was obtained. -``` -with requests.Session() as session: - session.headers = { - 'Authorization': 'Bearer {}'.format(token), - 'Content-Type': 'application/json', - 'Accept': 'application/json'} -``` +[!code[CustomTIAPI](./code/example.py#L19-L23)] -## Create calls to the custom threat intelligence API -The following example shows how to view all of the alert definition entities by creating a call to the API. + +## Step 3: Create calls to the custom threat intelligence API +After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: ->[!NOTE] -> All code is still within the ```with``` statement with the same indention level. +[!code[CustomTIAPI](./code/example.py#L25-L26)] -```json +The response is empty on initial use of the API. -response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions") -pprint(json.loads(response.text)) -``` + +## Step 4: Create a new alert definition +The following example demonstrates how you to create a new alert definition. -If this is the first time to use the API, the response is empty. +[!code[CustomTIAPI](./code/example.py#L28-L39)] -## Create a new alert definition -The following example shows how to create a new alert definition. + +## Step 5: Create a new indicator of compromise +You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. -``` +[!code[CustomTIAPI](./code/example.py#L41-L51)] -alert_definition = {"Name": "The Alert's Name", - "Severity": "Low", - "InternalDescription": "An internal description of the Alert", - "Title": "The Title", - "UxDescription": "Description of the alerts", - "RecommendedAction": "The alert's recommended action", - "Category": "Trojan", - "Enabled": True} +## Complete code +You can use the complete code to create calls to the API. -response = session.post( - "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions", - json=alert_definition) -``` +[!code[CustomTIAPI](./code/example.py#L1-L51)] -## Create a new indicator of compromise -The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. - -``` -alert_definition_id = json.loads(response.text)["Id"] - ioc = {'Type': "Sha1", - 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff", - 'DetectionFunction': "Equals", - 'Enabled': True, - "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)} - - response = session.post( - "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise", - json=ioc) -``` +## Related topics +- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 49742f17e8..0bba05e0b7 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -39,9 +39,9 @@ You can deploy Device Guard in phases, and plan these phases in relation to the > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). -The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. +The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. -> **Notes** +> **Notes**
> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md index 4cd712c7a8..0d15caf8a1 100644 --- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ localizationpriority: high [Some information relates to pre–released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -You can take action on file related alerts to quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. +Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. >[!NOTE] > These response actions are only available for machines on Windows 10, version 1703. diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md index e4ffc6abe9..7262eeac48 100644 --- a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ localizationpriority: high [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -You can take action on machine related alerts to quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. +Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. >[!NOTE] > These response actions are only available for machines on Windows 10, version 1703. diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index 32dc72d7fd..835ddbf45a 100644 --- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Understand threat indicators +# Understand threat intelligence concepts **Applies to:** @@ -49,5 +49,7 @@ IOCs have a many-to-one relationship with alert definitions such that an alert d ## Related topic - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom threat indicators using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index 5448e0e2f5..d63bd1bf4c 100644 --- a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -44,3 +44,11 @@ If your client secret expires or if you've misplaced the copy provided when you 6. Click **Save**. The key value is displayed. 7. Copy the value and save it in a safe place. + + +## Related topics +- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)