deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #4764 from MicrosoftDocs/FromPrivateRepo

Browse Source 
From private repo
This commit is contained in:
huypub 2019-08-22 10:47:38 -07:00 committed by GitHub
commit bd962a44c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 259 additions and 448 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.openpublishing.redirection.json
View File

@ -14862,19 +14862,14 @@
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow",
"redirect_document_id": true
"source_path": "windows/security/threat-protection/windows-defender-atp/api-microsoft-flow.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token",
"redirect_document_id": true
"source_path": "windows/security/threat-protection/windows-defender-atp/api-power-bi.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-power-bi",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md",

41
surface-hub-2s-ports-keypad.md
View File

@ -1,41 +0,0 @@
---
title: "Surface Hub 2S ports and keypad overview"
description: "This page describes the ports, physical buttons, and configuration information for Surface Hub 2S."
keywords: separate values with commas
ms.prod: surface-hub
ms.sitesec: library
author: robmazz
ms.author: robmazz
audience: Admin
ms.topic: article
ms.localizationpriority: Normal
---
# Surface Hub 2S ports and keypad overview
This page describes the ports, physical buttons, and configuration information essential for connecting to Surface Hub 2S whether via wired, Wi-Fi, or Bluetooth methods. It also includes best practice recommendations for key connectivity scenarios.
Figure 1 shows the location ports and physical buttons located on a keypad attached to the underside of the device. Table 1 includes detailed descriptions of each element.
*Figure 1. Front facing and underside view of I/O connections and physical buttons*
*Table 1. Surface Hub 2S port and keypad component reference*
| Key | Component | Description | Key parameters |
| --- | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- |
| ① | USB C | USB 3.0 Port<br><br>- Use as a walk-up port for plugging in peripherals such as thumb-drives. Guest ports are located on each side of the device (4).<br>- <br><br>NOTE: This is the recommended port for connecting an external camera. Additional camera mount features are incorporated into the design to help support retention of attached cameras.<br> <br><br>- NOTE: TouchBack and video ingest are not supported on these ports. | Type C<br><br>- 15 W Port (5V/3A) |
| ② | AC power | 100-240V input<br>Connect to standard AC power and Surface Hub 2S will auto switch to the local power standard such as110 volts in the US and Canada or 220 volts in the UK or other countries.<br> <br>NOTE: When the AC cord is plugged in, the system remains in an off state in which only the system management controller (SMC), real time clock (RTC), and keypad are running. | IEC 60320 C14 |
| ③ | DC power | 24V DC input port<br>Use for connecting to mobile battery. | Xbox1 Dual barrel to Anderson connector |
| ④ | Ethernet | 1000/100/10 BaseT<br>Use for providing a continuous connection in a corporate environment and related scenarios requiring maximum stability or capacity. | RJ45 |
| ⑤ | USB-A | USB 3.0 Port<br>Use as a walk-up port for plugging in peripherals such as thumb-drives. | Type A<br>7.5 W Port (5V/1.5A) |
| ⑥ | USB-C | USB 3.0 Port<br>Use as a walk-up port for connecting external PCs and related devices or plugging in peripherals such as thumb-drives.<br> <br>NOTE: This is the recommended video input port, supporting both TouchBack and InkBack. | Type C<br>18 W Port (5V/3A, 9V/2A) |
| ⑦ | HDMI in | HDMI 2.0, HDCP 2.2 /1.4<br>Use for multiple scenarios including HDMI-to-HDMI guest input. | Standard HDMI |
| ⑧ | Mini DisplayPort out | DisplayPort 1.2 output<br>Use for video-out scenarios such as mirroring the Surface Hub 2S display to a larger projector. | Mini DisplayPort |
| ⑨ | Source | Use to toggle among connected ingest sources — external PC, HDMI, and DisplayPort modes. | n/a |
| ⑩ | Volume | Use +/- to adjust audio locally on the device.<br> <br>NOTE: When navigating to the brightness control, use +/- on the volume slider to control display brightness. | n/a |
| ⑪ | Power | Power device on/off.<br>Use also to navigate display menus and select items. | n/a |
**
**
*Figure 2. Rear facing view of wireless, audio, & related components*
NOTE: **many of these components are internal and may not be obviously visible from the outside.
*Figure 3. Wired port connections on Surface Hub-2S*

233
windows/client-management/mdm/bitlocker-csp.md
View File

@ -6,15 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
ms.date: 05/02/2019
ms.date: 08/05/2019
ms.reviewer:
manager: dansimp
---
# BitLocker CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
> [!NOTE]
@ -31,10 +28,10 @@ The following diagram shows the BitLocker configuration service provider in tree
![bitlocker csp](images/provisioning-csp-bitlocker.png)
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
<p style="margin-left: 20px">Defines the root node for the BitLocker configuration service provider.</p>
Defines the root node for the BitLocker configuration service provider.
<a href="" id="requirestoragecardencryption"></a>**RequireStorageCardEncryption**
<p style="margin-left: 20px">Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.</p>
Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.
<table>
<tr>
@ -57,14 +54,14 @@ The following diagram shows the BitLocker configuration service provider in tree
</tr>
</table>
<p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.</p>
Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
- 0 (default) Storage cards do not need to be encrypted.
- 1 Require Storage cards to be encrypted.
<p style="margin-left: 20px">Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.</p>
Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
If you want to disable this policy use the following SyncML:
```xml
<SyncML>
@ -85,11 +82,11 @@ The following diagram shows the BitLocker configuration service provider in tree
</SyncML>
```
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="requiredeviceencryption"></a>**RequireDeviceEncryption**
<p style="margin-left: 20px">Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.</p>
Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
<table>
<tr>
@ -112,9 +109,26 @@ The following diagram shows the BitLocker configuration service provider in tree
</tr>
</table>
<p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.</p>
Data type is integer. Sample value for this node to enable this policy: 1.
Supported operations are Add, Get, Replace, and Delete.
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
Status of OS volumes and encryptable fixed data volumes are checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet additional criteria to be considered encryptable:
- It must not be a dynamic volume.
- It must not be a recovery partition.
- It must not be a hidden volume.
- It must not be a system partition.
- It must not be backed by virtual storage.
- It must not have a reference in the BCD store.
The following list shows the supported values:
- 0 (default) Disable. If the policy setting is not set or is set to 0, the device's enforcement status will not be checked. The policy will not enforce encryption and it will not decrypt encrypted volumes.
- 1 Enable. The device's enforcement status will be checked. Setting this policy to 1 will trigger encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
If you want to disable this policy use the following SyncML:
```xml
<SyncML>
@ -135,10 +149,9 @@ The following diagram shows the BitLocker configuration service provider in tree
</SyncML>
```
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)&quot;. </p>
Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)&quot;.
<table>
<tr>
<th>Home</th>
@ -159,7 +172,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
ADMX Info:
<ul>
<li>GP English name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
<li>GP name: <em>EncryptionMethodWithXts_Name</em></li>
@ -170,23 +183,23 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
<p style="margin-left: 20px">If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.</p>
If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.</p>
If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
<p style="margin-left: 20px"> Sample value for this node to enable this policy and set the encryption methods is:</p>
Sample value for this node to enable this policy and set the encryption methods is:
```xml
<enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/>
```
<p style="margin-left: 20px">EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives</p>
<p style="margin-left: 20px">EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.</p>
<p style="margin-left: 20px">EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.</p>
EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
<p style="margin-left: 20px"> The possible values for &#39;xx&#39; are:</p>
The possible values for &#39;xx&#39; are:
- 3 = AES-CBC 128
- 4 = AES-CBC 256
@ -196,7 +209,7 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!NOTE]
> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
<p style="margin-left: 20px"> If you want to disable this policy use the following SyncML:</p>
If you want to disable this policy use the following SyncML:
```xml
<Replace>
@ -213,10 +226,10 @@ The following diagram shows the BitLocker configuration service provider in tree
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy &quot;Require additional authentication at startup&quot;.</p>
This setting is a direct mapping to the Bitlocker Group Policy &quot;Require additional authentication at startup&quot;.
<table>
<tr>
<th>Home</th>
@ -237,7 +250,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
ADMX Info:
<ul>
<li>GP English name: <em>Require additional authentication at startup</em></li>
<li>GP name: <em>ConfigureAdvancedStartup_Name</em></li>
@ -248,31 +261,31 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.
> [!NOTE]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
<p style="margin-left: 20px">If you want to use BitLocker on a computer without a TPM, set the &quot;ConfigureNonTPMStartupKeyUsage_Name&quot; data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.</p>
If you want to use BitLocker on a computer without a TPM, set the &quot;ConfigureNonTPMStartupKeyUsage_Name&quot; data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
<p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
> [!NOTE]
> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
<p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.
> [!NOTE]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
Sample value for this node to enable this policy is:
```xml
<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
```
<p style="margin-left: 20px">Data id:</p>
Data id:
<ul>
<li>ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).</li>
<li>ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.</li>
@ -281,20 +294,20 @@ The following diagram shows the BitLocker configuration service provider in tree
<li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
</ul>
<p style="margin-left: 20px">The possible values for &#39;xx&#39; are:</p>
The possible values for &#39;xx&#39; are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">The possible values for &#39;yy&#39; are:</p>
The possible values for &#39;yy&#39; are:
<ul>
<li>2 = Optional</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
<Replace>
@ -310,10 +323,10 @@ The following diagram shows the BitLocker configuration service provider in tree
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure minimum PIN length for startup&quot;.</p>
This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure minimum PIN length for startup&quot;.
<table>
<tr>
<th>Home</th>
@ -334,7 +347,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
ADMX Info:
<ul>
<li>GP English name:<em>Configure minimum PIN length for startup</em></li>
<li>GP name: <em>MinimumPINLength_Name</em></li>
@ -345,24 +358,24 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
> [!NOTE]
> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
>
>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
<p style="margin-left: 20px">If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.</p>
If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.</p>
If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
Sample value for this node to enable this policy is:
```xml
<enabled/><data id="MinPINLength" value="xx"/>
```
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
<Replace>
@ -379,10 +392,10 @@ The following diagram shows the BitLocker configuration service provider in tree
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure pre-boot recovery message and URL&quot; (PrebootRecoveryInfo_Name).</p>
This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure pre-boot recovery message and URL&quot; (PrebootRecoveryInfo_Name).
<table>
<tr>
<th>Home</th>
@ -403,7 +416,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
ADMX Info:
<ul>
<li>GP English name: <em>Configure pre-boot recovery message and URL</em></li>
<li>GP name: <em>PrebootRecoveryInfo_Name</em></li>
@ -414,21 +427,21 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
</p>
This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
<p style="margin-left: 20px">If you set the value to &quot;1&quot; (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value &quot;1&quot; (Use default recovery message and URL).</o>
<p style="margin-left: 20px">If you set the value to &quot;2&quot; (Use custom recovery message), the message you set in the &quot;RecoveryMessage_Input&quot; data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.</p>
If you set the value to &quot;1&quot; (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value &quot;1&quot; (Use default recovery message and URL).</o>
<p style="margin-left: 20px">If you set the value to &quot;3&quot; (Use custom recovery URL), the URL you type in the &quot;RecoveryUrl_Input&quot; data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.</p>
If you set the value to &quot;2&quot; (Use custom recovery message), the message you set in the &quot;RecoveryMessage_Input&quot; data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
If you set the value to &quot;3&quot; (Use custom recovery URL), the URL you type in the &quot;RecoveryUrl_Input&quot; data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
Sample value for this node to enable this policy is:
```xml
<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
```
<p style="margin-left: 20px">The possible values for &#39;xx&#39; are:</p>
The possible values for &#39;xx&#39; are:
- 0 = Empty
- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
@ -440,7 +453,7 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!NOTE]
> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
<Replace>
@ -460,10 +473,10 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!NOTE]
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected operating system drives can be recovered&quot; (OSRecoveryUsage_Name).</p>
This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected operating system drives can be recovered&quot; (OSRecoveryUsage_Name).
<table>
<tr>
<th>Home</th>
@ -484,7 +497,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
<li>GP name: <em>OSRecoveryUsage_Name</em></li>
@ -495,52 +508,52 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
<p style="margin-left: 20px">The &quot;OSAllowDRA_Name&quot; (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.</p>
The &quot;OSAllowDRA_Name&quot; (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
<p style="margin-left: 20px">In &quot;OSRecoveryPasswordUsageDropDown_Name&quot; and &quot;OSRecoveryKeyUsageDropDown_Name&quot; (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.</p>
In &quot;OSRecoveryPasswordUsageDropDown_Name&quot; and &quot;OSRecoveryKeyUsageDropDown_Name&quot; (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
<p style="margin-left: 20px">Set &quot;OSHideRecoveryPage_Name&quot; (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.</p>
Set &quot;OSHideRecoveryPage_Name&quot; (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
<p style="margin-left: 20px">Set &quot;OSActiveDirectoryBackup_Name&quot; (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set &quot;1&quot; (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set &quot;2&quot; (Backup recovery password only), only the recovery password is stored in AD DS.</p>
Set &quot;OSActiveDirectoryBackup_Name&quot; (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set &quot;1&quot; (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set &quot;2&quot; (Backup recovery password only), only the recovery password is stored in AD DS.
<p style="margin-left: 20px">Set the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.</p>
Set the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
&gt; [!Note]<br/>&gt; If the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
<p style="margin-left: 20px">If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.</p>
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
<p style="margin-left: 20px">If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.</p>
If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
Sample value for this node to enable this policy is:
```xml
<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
```
<p style="margin-left: 20px">The possible values for &#39;xx&#39; are:</p>
The possible values for &#39;xx&#39; are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
<li></li>
</ul>
<p style="margin-left: 20px">The possible values for &#39;yy&#39; are:</p>
The possible values for &#39;yy&#39; are:
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">The possible values for &#39;zz&#39; are:</p>
The possible values for &#39;zz&#39; are:
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
<li></li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
<Replace>
@ -557,10 +570,10 @@ The following diagram shows the BitLocker configuration service provider in tree
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected fixed drives can be recovered&quot; ().</p>
This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected fixed drives can be recovered&quot; ().
<table>
<tr>
<th>Home</th>
@ -581,7 +594,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
<li>GP name: <em>FDVRecoveryUsage_Name</em></li>
@ -592,39 +605,39 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
<p style="margin-left: 20px">The &quot;FDVAllowDRA_Name&quot; (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.</p>
The &quot;FDVAllowDRA_Name&quot; (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
<p style="margin-left: 20px">In &quot;FDVRecoveryPasswordUsageDropDown_Name&quot; (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.</p>
In &quot;FDVRecoveryPasswordUsageDropDown_Name&quot; (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
<p style="margin-left: 20px">Set &quot;FDVHideRecoveryPage_Name&quot; (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.</p>
Set &quot;FDVHideRecoveryPage_Name&quot; (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
<p style="margin-left: 20px">Set &quot;FDVActiveDirectoryBackup_Name&quot; (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.</p>
Set &quot;FDVActiveDirectoryBackup_Name&quot; (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
<p style="margin-left: 20px">Set the &quot;FDVRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.</p>
Set the &quot;FDVRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
<p style="margin-left: 20px">Set the &quot;FDVActiveDirectoryBackupDropDown_Name&quot; (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select &quot;1&quot; (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select &quot;2&quot; (Backup recovery password only) only the recovery password is stored in AD DS.</p>
Set the &quot;FDVActiveDirectoryBackupDropDown_Name&quot; (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select &quot;1&quot; (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select &quot;2&quot; (Backup recovery password only) only the recovery password is stored in AD DS.
&gt; [!Note]<br/>&gt; If the &quot;FDVRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
<p style="margin-left: 20px">If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.</p>
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
<p style="margin-left: 20px">If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.</p>
If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
Sample value for this node to enable this policy is:
```xml
<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
```
<p style="margin-left: 20px">The possible values for &#39;xx&#39; are:</p>
The possible values for &#39;xx&#39; are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">The possible values for &#39;yy&#39; are:</p>
The possible values for &#39;yy&#39; are:
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
@ -632,13 +645,13 @@ The following diagram shows the BitLocker configuration service provider in tree
</ul>
<p style="margin-left: 20px">The possible values for &#39;zz&#39; are:</p>
The possible values for &#39;zz&#39; are:
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
<Replace>
@ -655,10 +668,10 @@ The following diagram shows the BitLocker configuration service provider in tree
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to fixed drives not protected by BitLocker&quot; (FDVDenyWriteAccess_Name).</p>
This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to fixed drives not protected by BitLocker&quot; (FDVDenyWriteAccess_Name).
<table>
<tr>
<th>Home</th>
@ -679,7 +692,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
<li>GP name: <em>FDVDenyWriteAccess_Name</em></li>
@ -690,17 +703,17 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
<p style="margin-left: 20px">If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.</p>
If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
Sample value for this node to enable this policy is:
```xml
<enabled/>
```
<p style="margin-left: 20px">If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:</p>
If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:
```xml
<Replace>
@ -717,10 +730,10 @@ The following diagram shows the BitLocker configuration service provider in tree
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to removable drives not protected by BitLocker&quot; (RDVDenyWriteAccess_Name).</p>
This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to removable drives not protected by BitLocker&quot; (RDVDenyWriteAccess_Name).
<table>
<tr>
<th>Home</th>
@ -741,7 +754,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
<li>GP name: <em>RDVDenyWriteAccess_Name</em></li>
@ -752,29 +765,29 @@ The following diagram shows the BitLocker configuration service provider in tree
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
<p style="margin-left: 20px">If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.</p>
If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
<p style="margin-left: 20px">If the &quot;RDVCrossOrg&quot; (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer&#39;s identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the &quot;Provide the unique identifiers for your organization&quot; group policy setting.</p>
If the &quot;RDVCrossOrg&quot; (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer&#39;s identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the &quot;Provide the unique identifiers for your organization&quot; group policy setting.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.</p>
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
&gt; [!Note]<br/>&gt; This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the &quot;Removable Disks: Deny write access&quot; group policy setting is enabled this policy setting will be ignored.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
Sample value for this node to enable this policy is:
```xml
<enabled/><data id="RDVCrossOrg" value="xx"/>
```
<p style="margin-left: 20px">The possible values for &#39;xx&#39; are:</p>
The possible values for &#39;xx&#39; are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
<Replace>
@ -793,7 +806,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
<p style="margin-left: 20px">Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.</p>
Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.
> [!IMPORTANT]
> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
@ -822,7 +835,7 @@ The following diagram shows the BitLocker configuration service provider in tree
</tr>
</table>
<p style="margin-left: 20px">The following list shows the supported values:</p>
The following list shows the supported values:
- 0 Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
- 1 (default) Warning prompt allowed.

13
windows/security/threat-protection/TOC.md
View File

@ -418,15 +418,10 @@
####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
##### [How to use APIs - Samples]()
###### [Advanced Hunting API]()
####### [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md)
####### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
####### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
####### [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
###### [Multiple APIs]()
####### [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md)
###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
###### [Power BI](microsoft-defender-atp/api-power-bi.md)
###### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
#### [Windows updates (KB) info]()

81
windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md Normal file
View File

@ -0,0 +1,81 @@
---
title: Microsoft Defender ATP Flow connector
ms.reviewer:
description: Microsoft Defender ATP Flow connector
keywords: flow, supported apis, api, Microsoft flow, query, automation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Defender ATP Flow connector
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within few minutes.
Microsoft Defender API has an official Flow Connector with a lot of capabilities:
![Image of edit credentials](images/api-flow-0.png)
## Usage example
The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs on your tenant.
- Login to [Microsoft Flow](https://flow.microsoft.com)
- Go to: My flows > New > Automated
![Image of edit credentials](images/api-flow-1.png)
- Choose a name for your Flow, Search for **Microsoft Defender ATP Triggers** as the trigger and choose the new Alerts trigger.
![Image of edit credentials](images/api-flow-2.png)
- Now you have a Flow that is triggered every time a new Alert occurs.
![Image of edit credentials](images/api-flow-3.png)
All you need to do now, is to choose your next steps.
Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it.
The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities.
### Get the Alert entity using the connector
- Choose Microsoft Defender ATP for new step.
- Choose Alerts - Get single alert API.
- Set the Alert Id from the last step as Input.
![Image of edit credentials](images/api-flow-4.png)
### Isolate the machine if the Alert's severity is High
- Add **Condition** as a new step .
- Check if Alert severity equals to **High**.
- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.
![Image of edit credentials](images/api-flow-5.png)
Now you can add a new step for mailing about the Alert and the Isolation.
There are multiple Email connectors that are very easy to use, e.g. Outlook, GMail, etc..
Save your flow and that's all.
- You can also create **scheduled** flow that will run Advanced Hunting queries and much more!
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)

71
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md → windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
View File

@ -1,8 +1,8 @@
---
title: Advanced Hunting API
title: Microsoft Defender ATP APIs connection to Power BI
ms.reviewer:
description: Use this API to run advanced queries
keywords: apis, supported apis, advanced hunting, query
description: Create custom reports using Power BI
keywords: apis, supported apis, Power BI, reports
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -17,24 +17,17 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Create custom reports using Power BI (user authentication)
# Create custom reports using Power BI
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)
In this section we share Power BI query sample to run a query using **user token**.
If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial.
## Before you begin
You first need to [create an app](exposed-apis-create-app-nativeapp.md).
## Run a query
## Connect Power BI to Advanced Hunting API
- Open Microsoft Power BI
@ -46,18 +39,15 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
- Copy the below and paste it in the editor, after you update the values of Query
- Copy the below and paste it in the editor:
```
```
let
AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'",
Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId",
HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
FormattedQuery= Uri.EscapeDataString(Query),
AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery,
Response = Json.Document(Web.Contents(AdvancedHuntingUrl)),
Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
TypeMap = #table(
{ "Type", "PowerBiType" },
@ -88,12 +78,10 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
in Table
```
```
- Click **Done**
![Image of create advanced query](images/power-bi-create-advanced-query.png)
- Click **Edit Credentials**
![Image of edit credentials](images/power-bi-edit-credentials.png)
@ -108,13 +96,32 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png)
- View the results of your query
- Now the results of your query will appear as table and you can start build visualizations on top of it!
![Image of query results](images/power-bi-query-results.png)
- You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would like.
## Connect Power BI to OData APIs
- The only difference from the above example is the query inside the editor.
- Copy the below and paste it in the editor to pull all **Machine Actions** from your organization:
```
let
Query = "MachineActions",
Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true])
in
Source
```
- You can do the same for **Alerts** and **Machines**.
- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md)
## Related topic
- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md)
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
- [Using OData Queries](exposed-apis-odata-samples.md)

1
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
View File

@ -117,4 +117,3 @@ $response
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/api-flow-0.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/api-flow-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/api-flow-2.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/api-flow-3.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.9 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/api-flow-4.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/api-flow-5.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

13
windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
View File

@ -413,15 +413,10 @@
####### [Get user related machines](get-user-related-machines.md)
##### [How to use APIs - Samples]()
###### [Advanced Hunting API]()
####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
####### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
###### [Multiple APIs]()
####### [PowerShell](exposed-apis-full-sample-powershell.md)
###### [Microsoft Flow](api-microsoft-flow.md)
###### [Power BI](api-power-bi.md)
###### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
###### [Using OData Queries](exposed-apis-odata-samples.md)
#### [API for custom alerts]()

2
windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
View File

@ -202,7 +202,7 @@ In general, if you know of a specific threat name, CVE, or KB, you can identify
## Related topic
- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
- [Create custom Power BI reports](api-power-bi.md)

1
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
View File

@ -147,4 +147,3 @@ If the 'roles' section in the token does not include the necessary permission:
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting from Portal](advanced-hunting.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)

92
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
View File

@ -1,92 +0,0 @@
---
title: Advanced Hunting API
ms.reviewer:
description: Use this API to run advanced queries
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Schedule Advanced Hunting using Microsoft Flow
**Applies to:**
- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
[!include[Prerelease information](prerelease.md)]
Schedule advanced query.
## Before you begin
You first need to [create an app](apis-intro.md).
## Use case
A common scenario is scheduling an advanced query and using the results for follow up actions and processing.
In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/services/logic-apps/)).
## Define a flow to run query and parse results
Use the following basic flow as an example.
1. Define the trigger Recurrence by time.
2. Add an action: Select HTTP.
![Image of MsFlow choose an action](images/ms-flow-choose-action.png)
- Set method to be POST
- Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations
- US: https://api-us.securitycenter.windows.com/api/advancedqueries/run
- Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run
- United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run
- Add the Header: Content-Type application/json
- In the body write your query surrounded by single quotation mark (')
- In the Advanced options select Authentication to be Active Directory OAuth
- Set the Tenant with proper AAD Tenant Id
- Audience is https://api.securitycenter.windows.com
- Client ID is your application ID
- Credential Type should be Secret
- Secret is the application secret generated in the Azure Active directory.
![Image of MsFlow define action](images/ms-flow-define-action.png)
3. You can use the "Parse JSON" action to get the schema of data just "use sample payload to generate schema" and copy an output from of the expected result.
![Image of MsFlow parse json](images/ms-flow-parse-json.png)
## Expand the flow to use the query results
The following section shows how to use the parsed results to insert them in SQL database.
This is an example only, you can use other actions supported by Microsoft Flow.
- Add an 'Apply to each' action
- Select the Results json (which was an output of the last parse action)
- Add an 'Insert row' action you will need to supply the connection details
- Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime.
![Image of insert into DB](images/ms-flow-insert-db.png)
The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table:
![Image of select from DB](images/ms-flow-read-db.png)
## Full flow definition
You can find below the full definition
![Image of E2E flow](images/ms-flow-e2e.png)
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)

138
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md
View File

@ -1,138 +0,0 @@
---
title: Advanced Hunting API
ms.reviewer:
description: Use this API to run advanced queries
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Create custom reports using Power BI (app authentication)
Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
In this section we share Power BI query sample to run a query using **application token**.
If you want to use **user token** instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial.
>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp.md).
## Run a query
- Open Microsoft Power BI
- Click **Get Data** > **Blank Query**
![Image of create blank query](images/power-bi-create-blank-query.png)
- Click **Advanced Editor**
![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query
```
let
TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here
AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here
AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here
Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here
ResourceAppIdUrl = "https://api.securitycenter.windows.com",
OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="),
ClientId = Text.Combine({"client_id", AppId}, "="),
ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="),
GrantType = Text.Combine({"grant_type", "client_credentials"}, "="),
Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"),
AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])),
AccessToken= AuthResponse[access_token],
Bearer = Text.Combine({"Bearer", AccessToken}, " "),
AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run",
Response = Json.Document(Web.Contents(
AdvancedHuntingUrl,
[
Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer],
Content=Json.FromValue([#"Query"=Query])
]
)),
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
```
- Click **Done**
![Image of create advanced query](images/power-bi-create-advanced-query.png)
- Click **Edit Credentials**
![Image of edit credentials](images/power-bi-edit-credentials.png)
- Select **Anonymous** and click **Connect**
![Image of set credentials](images/power-bi-set-credentials-anonymous.png)
- Repeat the previous step for the second URL
- Click **Continue**
![Image of edit data privacy](images/power-bi-edit-data-privacy.png)
- Select the privacy level you want and click **Save**
![Image of set data privacy](images/power-bi-set-data-privacy.png)
- View the results of your query
![Image of query results](images/power-bi-query-results.png)
## Related topic
- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md)
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)

1
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
View File

@ -117,4 +117,3 @@ $results | ConvertTo-Json | Set-Content file1.json
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)

3
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
View File

@ -146,5 +146,4 @@ outputFile.close()
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)