deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 21:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 12213: 10/18 PM Publish

Browse Source
This commit is contained in:
Huaping Yu (Beyondsoft Consulting Inc) 2018-10-18 22:31:04 +00:00
commit bd8a20e53c
15 changed files with 140 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/application-management/msix-app-packaging-tool.md
View File

@ -8,19 +8,19 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: mikeblodge
ms.topic: article
ms.date: 10/16/2018
ms.date: 10/18/2018
---
# Repackage existing win32 applications to the MSIX format
The MSIX Packaging Tool is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store.
The MSIX Packaging Tool 1.2018.1005.0 is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store.
> Prerequisites:
- Participate in the Windows Insider Program or update to Windows 10 October 2018 Update (version 1809)
- Minimum Windows 10 build 17701
- Windows 10, version 1809 (or later)
- Participation in the Windows Insider Program (if you're using an Insider build)
- A valid Micorsoft account (MSA) alias to access the app from the Microsoft Store
- Admin privileges on your PC account
- A valid Micorsoft account (MSA) alias to access the app from the Store
## Installing the MSIX Packaging Tool

1
windows/deployment/TOC.md
View File

@ -240,6 +240,7 @@
#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)
#### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md)
### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)

16
windows/deployment/update/PSFxWhitepaper.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: Jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 10/17/2018
ms.date: 10/18/2018
---
# Windows Updates using forward and reverse differentials
@ -47,19 +47,19 @@ updates optimized for any origin/destination revision pair. It does this by
calculating forward the differential of a changed file from the base version and
its reverse differential back to the base version. Both forward and reverse
differentials are then packaged as an update and distributed to the endpoints
running the software to be updated.
running the software to be updated. The update package contents can be symbolized as follows:
![](images/PSF1.png)
![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png)
The endpoints that have the base version of the file (V<sub>0</sub>) hydrate the target
revision (V<sub>N</sub>) by applying a simple transformation:
![](images/PSF2.png)
![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png)
The endpoints that have revision N of the file (V<sub>N</sub>), hydrate the target revision
(V<sub>R</sub>) by applying the following set of transformations:
![](images/PSF3.png)
![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png)
The endpoints retain the reverse differentials for the software revision they
are on, so that it can be used for hydrating and applying next revision update.
@ -130,11 +130,11 @@ There can be cases where new files are added to the system during servicing.
These files will not have RTM baselines, thus forward and reverse differentials
cannot be used. In these scenarios, null differentials will be used to handle
servicing. Null differentials are the slightly compressed and optimized version
of the full binaries. It should be noted that update packages can have either
of the full binaries. Update packages can have either
forward or reverse differentials, or null differential of any given binary in
them.
them. The following image symbolizes the content of a Windows 10 quality update installer:
![](images/PSF4.png)
![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png)
### Hydration and installation

23
windows/deployment/update/fod-and-lang-packs.md Normal file
View File

@ -0,0 +1,23 @@
---
title: Windows 10 - How to make FoDs and language packs available when you're using WSUS/SCCM
description: Learn how to make FoDs and language packs available for updates when you're using WSUS/SCCM.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: article
ms.author: elizapo
author: lizap
ms.localizationpriority: medium
ms.date: 10/18/2018
---
# How to make Features on Demand and language packs available when you're using WSUS/SCCM
> Applies to: Windows 10
As of Windows 10, version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) and language packs for Windows 10 clients. Instead, you can pull them directly from Windows Update - you just need to change a Group Policy setting that lets clients download these directly from Windows Update. You can also host Features on Demand and language packs on a network share, but starting with Windows 10, version 1809, language packs can only be installed from Windows Update.
For Active Directory and Group Policy environments running in a WSUS\SCCM environment change the **Specify settings for optional component installation and component repair** policy to enable downloading Features on Demand directly from Windows Update or a local share. This setting is located in Computer Configuration\Administrative Templates\System in the Group Policy Editor.
Changing this policy only enables Features on Demand and language pack downloads from Windows Update - it doesn't affect how clients get feature and quality updates. Feature and quality updates will continue to come directly from WSUS\SCCM. It also doesn't affect the schedule for your clients to receive updates.
Learn about other client management options, including using Group Policy and ADMX, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/).

BIN
windows/deployment/update/images/PSF1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.1 KiB

After

Width:  |  Height:  |  Size: 7.4 KiB

BIN
windows/deployment/update/images/PSF4.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 70 KiB

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -325,7 +325,7 @@ If you're running into compatibility issues where your app is incompatible with
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list**
1. In **Mobile apps - App protection policies**, click **Exempt apps**.
1. In **Client apps - App protection policies**, click **Exempt apps**.
![Exempt apps](images/exempt-apps.png)

82
windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
View File

@ -50,7 +50,7 @@ After youve set up Intune for your organization, you must create a WIP-specif
The Microsoft Intune Overview blade appears.
2. Click **Mobile apps**, click **App protection policies**, and then click **Add a policy**.
2. Click **Client apps**, click **App protection policies**, and then click **Add a policy**.
![Microsoft Intune management console: App policy link](images/wip-azure-portal-start-mam.png)
@ -71,12 +71,12 @@ After youve set up Intune for your organization, you must create a WIP-specif
4. Click **Create**.
The policy is created and appears in the table on the **Mobile apps - App protection policies** blade.
The policy is created and appears in the table on the **Client apps - App protection policies** blade.
>[!NOTE]
>Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available.
## Add apps to your Allowed apps list
## Add apps to your Protected apps list
During the policy-creation process in Intune, you can choose the apps you want to allow, as well as deny, access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. You can also import a list of approved apps or add exempt apps.
@ -84,19 +84,19 @@ The steps to add your apps are based on the type of template being applied. You
In addition, you can create an app deny list related to the policy based on an **action** value. The action can be either **Allow** or **Deny**. When you specify the deny action for an app using the policy, corporate access is denied to the app.
>[!Important]
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<br><br>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you dont get this statement, its possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation.
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<br><br>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Protected apps** list. If you dont get this statement, its possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation.
### Add a Recommended app to your Allowed apps list
For this example, were going to add a few recommended apps to the **Allowed apps** list.
### Add a Recommended app to your Protected apps list
For this example, were going to add a few recommended apps to the **Protected apps** list.
**To add a recommended app**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy.
![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png)
2. From the **Allowed apps** blade, click **Add apps**.
2. From the **Protected apps** blade, click **Add apps**.
The **Add apps** blade appears, showing you all **Recommended apps**.
@ -104,27 +104,27 @@ For this example, were going to add a few recommended apps to the **Allowed a
3. Select each app you want to access your enterprise data, and then click **OK**.
The **Allowed apps** blade updates to show you your selected apps.
The **Protected apps** blade updates to show you your selected apps.
![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
![Microsoft Intune management console: Protected apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
4. Click **Save** to save the **Allowed apps** list to your policy.
4. Click **Save** to save the **Protected apps** list to your policy.
### Add a Store app to your Allowed apps list
For this example, were going to add Microsoft Power BI, a Windows store app, to the **Allowed apps** list.
### Add a Store app to your Protected apps list
For this example, were going to add Microsoft Power BI, a Windows store app, to the **Protected apps** list.
**To add a Store app**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy.
2. From the **Allowed apps** blade, click **Add apps**.
2. From the **Protected apps** blade, click **Add apps**.
3. On the **Add apps** blade, click **Store apps** from the dropdown list.
4. Type the friendly name of the app, the publisher info, and the product name. For this example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.MicrosoftPowerBIForWindows`.
5. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list, and then click **Save** to save the **Allowed apps** list to your policy.
5. After youve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy.
>[!NOTE]
>To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and continue to add more apps. When youre done, click **OK**.
@ -180,15 +180,15 @@ If you don't know the publisher or product name for your Store app, you can find
>The JSON file might also return a windowsPhoneLegacyId value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as windowsPhoneLegacyId, and set the **Publisher Name** as CN= followed by the windowsPhoneLegacyId.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
### Add a Desktop app to your Allowed apps list
For this example, were going to add WordPad, a Desktop app, to the **Allowed apps** list.
### Add a Desktop app to your Protected apps list
For this example, were going to add WordPad, a Desktop app, to the **Protected apps** list.
**To add a Desktop app**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy.
2. From the **Allowed apps** blade, click **Add apps**.
2. From the **Protected apps** blade, click **Add apps**.
3. On the **Add apps** blade, click **Desktop apps** from the dropdown list.
@ -233,7 +233,7 @@ For this example, were going to add WordPad, a Desktop app, to the **Allowed
</tr>
</table>
4. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list, and then click **Save** to save the **Allowed apps** list to your policy.
4. After youve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy.
>[!Note]
>To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
@ -257,10 +257,10 @@ Path Publisher
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box.
### Import a list of apps to your Allowed apps list
For this example, were going to add an AppLocker XML file to the **Allowed apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
### Import a list of apps to your Protected apps list
For this example, were going to add an AppLocker XML file to the **Protected apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of Allowed apps using the AppLocker tool**
**To create a list of Protected apps using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
@ -334,9 +334,9 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import your list of Allowed apps using Microsoft Intune**
**To import your list of Protected apps using Microsoft Intune**
1. From the **Allowed apps** area, click **Import apps**.
1. From the **Protected apps** area, click **Import apps**.
The blade changes to let you add your import file.
@ -349,7 +349,7 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
### Add exempt apps to your policy
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list**
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list**
1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears.
@ -361,13 +361,13 @@ If you're running into compatibility issues where your app is incompatible with
3. Fill out the rest of the app info, based on the type of app youre adding:
- **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic.
- **Recommended app.** Follow the instructions in the [Add a Recommended app to your Protected apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic.
- **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic.
- **Store app.** Follow the instructions in the [Add a Store app to your Protected apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic.
- **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic.
- **Desktop app.** Follow the instructions in the [Add a Desktop app to your Protected apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic.
- **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps.
- **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Protected apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps.
4. Click **OK**.
@ -384,7 +384,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
**To add your protection mode**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
The **Required settings** blade appears.
@ -406,7 +406,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
**To change your corporate identity**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
The **Required settings** blade appears.
@ -427,7 +427,7 @@ Intune will add SharePoint sites that are discovered through the Graph API. You
**To define where your allowed apps can find and send enterprise data on you network**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
@ -501,7 +501,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to
>Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) topic.
**To upload your DRA certificate**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
@ -514,7 +514,7 @@ After you've decided where your protected apps can access enterprise data on you
**To set your optional settings**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
@ -572,7 +572,7 @@ You can turn on Windows Hello for Business, letting your employees use it as a s
**To turn on and configure Windows Hello for Business**
1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
@ -636,7 +636,7 @@ After youve created your policy, you'll need to deploy it to your employees.
**To deploy your policy**
1. On the **Mobile apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**.
1. On the **Client apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**.
A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane.

4
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -1,7 +1,7 @@
---
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise.
keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list
keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.|
|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.|
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if its incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|

2
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -77,7 +77,7 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Using allowed apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.

4
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.author: justinha
ms.date: 05/30/2018
ms.date: 10/18/2018
ms.localizationpriority: medium
---
@ -20,7 +20,7 @@ ms.localizationpriority: medium
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically.
## Recommended Enterprise Cloud Resources
This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.

53
windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
View File

@ -1,16 +1,16 @@
---
title: How to get a list of XML elements in <EventData> (Windows 10)
description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML elements that can appear in <EventData>.
title: How to get a list of XML data name elements in <EventData> (Windows 10)
description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in <EventData>.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: tedhardyMSFT
ms.date: 10/15/2018
ms.date: 10/18/2018
---
# How to get a list of XML elements in EventData
# How to get a list of XML data name elements in EventData
**Applies to**
- Windows 10
@ -82,3 +82,48 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
</template>
```
## Mapping data name elements to the names in an event description
You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description.
The <Description> is just the format string (if youre used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>.
Using Security event 4734 as an example:
```xml
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>
Description : A security-enabled local group was deleted.
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Group:
Security ID: %3
Group Name: %1
Group Domain: %2
Additional Information:
Privileges: %8
```
For the "Subject: Security Id:" text element, it will use the fourth element in the Template, "SubjectUserSid".
For "Additional Information Privileges:", it would use the eighth element "PrivelegeList".
A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.

8
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 10/17/2018
---
# Reduce attack surfaces with attack surface reduction rules
@ -56,7 +56,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
The rules apply to the following Office apps:
@ -120,8 +120,6 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
This rule prevents scripts that appear to be obfuscated from running.
It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
### Rule: Block Win32 API calls from Office macro
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
@ -168,7 +166,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block only Office communication applications from creating child processes
### Rule: Block Office communication applications from creating child processes
Office communication apps will not be allowed to create child processes. This includes Outlook.

4
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 10/17/2018
---
# Customize attack surface reduction rules
@ -61,7 +61,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block only Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 10/17/2018
---
# Enable attack surface reduction rules
@ -46,7 +46,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.