diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index c82891ed56..a197c21ecd 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -1620,7 +1620,7 @@ In the following cmdlets, `$strPolicy` is the name of the ActiveSync policy, and Note that in order to run the cmdlets, you need to set up a remote PowerShell session and: -- Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using set-user `$admin -RemotePowerShellEnabled $true`) +- Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using `set-user $admin -RemotePowerShellEnabled $true`) - Your admin account must have the "Reset Password" role if you plan to run the creation scripts. This allows the admin to change the password of the account, which is needed for the script. The Reset Password Role can be enabled using the Exchange Admin Center. Create the policy. diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index b5e25471d4..5b6d36d46b 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -25,17 +25,10 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme - Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. - Cortana is turned off. -<<<<<<< HEAD -> **Tip!** -> To exit **Take a Test**, press Ctrl+Alt+Delete. - - - -======= > [!TIP] > To exit **Take a Test**, press Ctrl+Alt+Delete. ->>>>>>> f50c53382577edc4df9f4e8c3f911e5a8da4bc83 + ## How you use Take a Test ![Use test account or test url in Take a Test](images/take-a-test-flow.png) diff --git a/windows/keep-secure/images/atp-disableantispyware-regkey.png b/windows/keep-secure/images/atp-disableantispyware-regkey.png new file mode 100644 index 0000000000..ae3d800c69 Binary files /dev/null and b/windows/keep-secure/images/atp-disableantispyware-regkey.png differ diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index 0fd2edc0d3..a3358422cb 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -113,4 +113,4 @@ When Windows Defender is not the active antimalware in your organization and you ## Windows Defender Early Launch Antimalware (ELAM) driver is enabled If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard. -If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information on how to validate and enable the Windows Defender ELAM driver see, [Ensure the Windows Defender ELAM driver is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-windows-defender-elam-driver-is-enabled). +If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy). diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index e3c1d51f68..1cb5843937 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -65,7 +65,7 @@ Event ID | Error Type | Resolution steps 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. 15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). -15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions. +15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). @@ -124,7 +124,7 @@ If the deployment tools used does not indicate an error in the onboarding proces - [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) - [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection) -- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) +- [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) ### View agent onboarding errors in the endpoint event log @@ -222,98 +222,31 @@ To ensure that sensor has service connectivity, follow the steps described in th If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. -### Ensure the Windows Defender ELAM driver is enabled -If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. +### Ensure that Windows Defender is not disabled by a policy +**Problem**: The Windows Defender ATP service does not start after onboarding. -**Check the ELAM driver status:** +**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service. -1. Open a command-line prompt on the endpoint: +**Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. - a. Click **Start**, type **cmd**, and select **Command prompt**. +- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared: -2. Enter the following command, and press Enter: - ``` - sc qc WdBoot - ``` - If the ELAM driver is enabled, the output will be: + - ```DisableAntiSpyware``` + - ```DisableAntiVirus``` - ``` - [SC] QueryServiceConfig SUCCESS + For example, in Group Policy: - SERVICE_NAME: WdBoot - TYPE : 1 KERNEL_DRIVER - START_TYPE : 0 BOOT_START - ERROR_CONTROL : 1 NORMAL - BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys - LOAD_ORDER_GROUP : Early-Launch - TAG : 0 - DISPLAY_NAME : Windows Defender Boot Driver - DEPENDENCIES : - SERVICE_START_NAME : - ``` - If the ELAM driver is disabled the output will be: - ``` - [SC] QueryServiceConfig SUCCESS + ``` + ``` +- After clearing the policy, run the onboarding steps again on the endpoint. - SERVICE_NAME: WdBoot - TYPE : 1 KERNEL_DRIVER - START_TYPE : 0 DEMAND_START - ERROR_CONTROL : 1 NORMAL - BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys - LOAD_ORDER_GROUP : _Early-Launch - TAG : 0 - DISPLAY_NAME : Windows Defender Boot Driver - DEPENDENCIES : - SERVICE_START_NAME : - ``` +- You can also check the following registry key values to verify that the policy is disabled: -#### Enable the ELAM driver + 1. Open the registry ```key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Windows Defender```. + 2. Find the value ```DisableAntiSpyware```. + 3. Ensure that the value is set to 0. -1. Open an elevated PowerShell console on the endpoint: - - a. Click **Start**, type **powershell**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Run the following PowerShell cmdlet: - - ```text - 'Set-ExecutionPolicy -ExecutionPolicy Bypass’ - ``` -3. Run the following PowerShell script: - - ```text - Add-Type @' - using System; - using System.IO; - using System.Runtime.InteropServices; - using Microsoft.Win32.SafeHandles; - using System.ComponentModel; - - public static class Elam{ - [DllImport("Kernel32", CharSet=CharSet.Auto, SetLastError=true)] - public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle); - - public static void InstallWdBoot(string path) - { - Console.Out.WriteLine("About to call create file on {0}", path); - var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read); - var handle = stream.SafeFileHandle; - - Console.Out.WriteLine("About to call InstallELAMCertificateInfo on handle {0}", handle.DangerousGetHandle()); - if (!InstallELAMCertificateInfo(handle)) - { - Console.Out.WriteLine("Call failed."); - throw new Win32Exception(Marshal.GetLastWin32Error()); - } - Console.Out.WriteLine("Call successful."); - } - } - '@ - - $driverPath = $env:SystemRoot + "\System32\Drivers\WdBoot.sys" - [Elam]::InstallWdBoot($driverPath) - ``` + ![Image of registry key for Windows Defender](images/atp-disableantispyware-regkey.png) diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index db70905251..4cb0a35b53 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -64,6 +64,12 @@ EU region: See the topic [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors. +### Windows Defender ATP service fails to start after a reboot and shows error 577 + +If onboarding endpoints successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. + +For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy). + ### Related topic - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index b6bf92ce00..b42a844ee5 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | | [Quick guide to Windows as a service](waas-quick-start.md) | New | +| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Added video demonstration of the latest in modern management for Windows 10 | ## November 2016 diff --git a/windows/manage/index.md b/windows/manage/index.md index ac66e4c102..e9e8ac3329 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -14,6 +14,9 @@ author: jdeckerMS Learn about managing and updating Windows 10. +>[!NOTE] +>Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/). + ## In this section diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md index 0d3374fbca..e0852318ad 100644 --- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md @@ -18,6 +18,10 @@ Your organization might have considered bringing in Windows 10 devices and downg Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. +This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. + + + This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: - [Deployment and Provisioning](#deployment-and-provisioning) diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md index 6f8d654f82..bf514619ee 100644 --- a/windows/manage/windows-store-for-business-overview.md +++ b/windows/manage/windows-store-for-business-overview.md @@ -211,56 +211,162 @@ For more information, see [Manage settings in the Store for Business](../manage/ ## Supported markets - Store for Business is currently available in these markets. -|Country or locale|Paid apps|Free apps| -|-----------------|---------|---------| -|Argentina|X|X| -|Australia|X|X| -|Austria|X|X| -|Belgium (Dutch, French)|X|X| -|Brazil| |X| -|Canada (English, French)|X|X| -|Chile|X|X| -|Columbia|X|X| -|Croatia|X|X| -|Czech Republic|X|X| -|Denmark|X|X| -|Finland|X|X| -|France|X|X| -|Germany|X|X| -|Greece|X|X| -|Hong Kong SAR|X|X| -|Hungary|X|X| -|India| |X| -|Indonesia|X|X| -|Ireland|X|X| -|Italy|X|X| -|Japan|X|X| -|Malaysia|X|X| -|Mexico|X|X| -|Netherlands|X|X| -|New Zealand|X|X| -|Norway|X|X| -|Philippines|X|X| -|Poland|X|X| -|Portugal|X|X| -|Romania|X|X| -|Russia| |X| -|Singapore|X|X| -|Slovakia|X|X| -|South Africa|X|X| -|Spain|X|X| -|Sweden|X|X| -|Switzerland (French, German)|X|X| -|Taiwan| |X| -|Thailand|X|X| -|Turkey|X|X| -|Ukraine| |X| -|United Kingdom|X|X| -|United States|X|X| -|Vietnam|X|X| +
+ + + + + + + + + +
Support for free and paid apps
+
    +
  • Algeria
    • +
  • Angola
    • +
  • Argentina
    • +
  • Australia
    • +
  • Austria
    • +
  • Bahamas
    • +
  • Bahrain
    • +
  • Bangladesh
    • +
  • Barbados
    • +
  • Belgium
    • +
  • Belize
    • +
  • Bermuda
    • +
  • Bolivia
    • +
  • Botswana
    • +
  • Brunei Darussalam
    • +
  • Bulgaria
    • +
  • Cameroon
    • +
  • Canada
    • +
  • Cape Verde
    • +
  • Cayman Islands
    • +
  • Chile
    • +
  • Colombia
    • +
  • Costa Rica
    • +
  • Côte D'ivoire
    • +
  • Croatia
    • +
  • Curçao
    • +
  • Cyprus
    • +
  • Czech Republic
    • +
  • Denmark
    • +
+ 		+
    +
  • Dominican Republic
    • +
  • Ecuador
    • +
  • Egypt
    • +
  • El Salvador
    • +
  • Estonia
    • +
  • Faroe Islands
    • +
  • Fiji
    • +
  • Finland
    • +
  • France
    • +
  • Germany
    • +
  • Ghana
    • +
  • Greece
    • +
  • Guatemala
    • +
  • Honduras
    • +
  • Hong Kong
    • +
  • Hungary
    • +
  • Iceland
    • +
  • Indonesia
    • +
  • Iraq
    • +
  • Ireland
    • +
  • Israel
    • +
  • Italy
    • +
  • Jamaica
    • +
  • Japan
    • +
  • Jordan
    • +
  • Kenya
    • +
  • Kuwait
    • +
  • Latvia
    • +
  • Lebanon
    • +
+ 		+
    +
  • Libya
    • +
  • Liechtenstein
    • +
  • Lithuania
    • +
  • Luxembourg
    • +
  • Malaysia
    • +
  • Malta
    • +
  • Mexico
    • +
  • Mongolia
    • +
  • Montenegro
    • +
  • Morocco
    • +
  • Namibia
    • +
  • Netherlands
    • +
  • New Zealand
    • +
  • Nicaragua
    • +
  • Nigeria
    • +
  • Norway
    • +
  • Oman
    • +
  • Pakistan
    • +
  • Palestinian Territory
    • +
  • Panama
    • +
  • Paraguay
    • +
  • Peru
    • +
  • Philippines
    • +
  • Poland
    • +
  • Portugal
    • +
  • Puerto Rico
    • +
  • Qatar
    • +
  • Romania
    • +
  • Rwanda
    • +
+ 		+
    +
  • Saint Kitts and Nevis
    • +
  • Saudi Arabia
    • +
  • Senegal
    • +
  • Serbia
    • +
  • Singapore
    • +
  • Slovakia
    • +
  • Slovenia
    • +
  • South Africa
    • +
  • Spain
    • +
  • Sweden
    • +
  • Switzerland
    • +
  • Tanzania
    • +
  • Thailand
    • +
  • Trinidad and Tobago
    • +
  • Tunisia
    • +
  • Turkey
    • +
  • Uganda
    • +
  • United Arab Emirates
    • +
  • United Kingdom
    • +
  • United States
    • +
  • Uruguay
    • +
  • Viet Nam
    • +
  • Virgin Islands, U.S.
    • +
  • Zambia
    • +
  • Zimbabwe
     
     
     
     
    • + +
+
+ + + + + + + + +
Support for free apps only
+
    +
  • Brazil
    • +
  • India
    • +
  • Russia
    • +
  • Taiwan
    • +
  • Ukraine
    • +
+
+ ## ISVs and the Store for Business diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md index f16e66fee9..e6fff0c3bc 100644 --- a/windows/manage/working-with-line-of-business-apps.md +++ b/windows/manage/working-with-line-of-business-apps.md @@ -12,7 +12,6 @@ localizationpriority: high # Working with line-of-business apps - **Applies to** - Windows 10