deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 23:33:35 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into behav-block-contain

Browse Source
This commit is contained in:
Denise Vangel-MSFT
2020-05-22 13:01:36 -07:00
parent 911d85031e f6da42f067
commit bf8b6e968e
6 changed files with 50 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/configuration/images/Shared_PC_1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/configuration/images/Shared_PC_2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 156 KiB

BIN
windows/configuration/images/Shared_PC_3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 476 KiB

29
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -58,7 +58,7 @@ Apps can take advantage of shared PC mode with the following three APIs:
### Customization
Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table.
Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring Shared PC mode for Windows](#configuring-shared-pc-mode-for-windows). The options are listed in the following table.
| Setting | Value |
|:---|:---|
@ -80,16 +80,33 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
[Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts.
## Configuring Shared PC mode for Windows
## Configuring shared PC mode on Windows
You can configure Windows to be in shared PC mode in a couple different ways:
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png)
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**.
1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home).
2. Select **Devices** from the navigation.
3. Under **Policy**, select **Configuration profiles**.
4. Select **Create profile**.
5. From the **Platform** menu, select **Windows 10 and later**.
6. From the **Profile** menu, select **Shared multi-user device**.
![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
![custom OMA-URI policy in Intune](images/Shared_PC_1.png)
7. Select **Create**.
8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so.
9. Select **Next**.
10. On the **Configuration settings** page, set the Shared PC Mode value to **Enabled**.
![Shared PC settings in ICD](images/Shared_PC_3.png)
11. From this point on, you can configure any additional settings youd like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
![Shared PC settings in ICD](images/icd-adv-shared-pc.PNG)
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:

2
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -74,7 +74,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft Remote Desktop
> [!NOTE]
> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining.
> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
## List of WIP-work only apps from Microsoft
Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.

115
windows/security/threat-protection/microsoft-defender-atp/onboarding.md
View File

@ -179,108 +179,45 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W
3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
4. Install the Microsoft Monitoring Agent (MMA). <br>
MMA is currently (as of January 2019) supported on the following Windows Operating
Systems:
Edit the InstallMMA.cmd with a text editor, such as notepad and update the
following lines and save the file:
- Server SKUs: Windows Server 2008 SP1 or Newer
![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
- Client SKUs: Windows 7 SP1 and later
Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
The MMA agent will need to be installed on Windows devices. To install the
agent, some systems will need to download the [Update for customer experience
and diagnostic
telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
in order to collect the data with MMA. These system versions include but may not
be limited to:
![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
- Windows 8.1
Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
Systems:
- Windows 7
- Server SKUs: Windows Server 2008 SP1 or Newer
- Windows Server 2016
- Client SKUs: Windows 7 SP1 and later
- Windows Server 2012 R2
The MMA agent will need to be installed on Windows devices. To install the
agent, some systems will need to download the [Update for customer experience
and diagnostic
telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
in order to collect the data with MMA. These system versions include but may not
be limited to:
- Windows Server 2008 R2
- Windows 8.1
Specifically, for Windows 7 SP1, the following patches must be installed:
- Windows 7
- Install
[KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
- Windows Server 2016
- Install either [.NET Framework
4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
later) **or**
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
Do not install both on the same system.
- Windows Server 2012 R2
5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
- Windows Server 2008 R2
Specifically, for Windows 7 SP1, the following patches must be installed:
- Install
[KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
- Install either [.NET Framework
4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
later) **or**
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
Do not install both on the same system.
To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
below to utilize the provided batch files to onboard the systems. The CMD file
when executed, will require the system to copy files from a network share by the
System, the System will install MMA, Install the DependencyAgent, and configure
MMA for enrollment into the workspace.
1. In Microsoft Endpoint Configuration Manager console, navigate to **Software
Library**.
2. Expand **Application Management**.
3. Right-click **Packages** then select **Create Package**.
4. Provide a Name for the package, then click **Next**
![Image of Microsoft Endpoint Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png)
5. Verify **Standard Program** is selected.
![Image of Microsoft Endpoint Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png)
6. Click **Next**.
![Image of Microsoft Endpoint Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png)
7. Enter a program name.
8. Browse to the location of the InstallMMA.cmd.
9. Set Run to **Hidden**.
10. Set **Program can run** to **Whether or not a user is logged on**.
11. Click **Next**.
12. Set the **Maximum allowed run time** to 720.
13. Click **Next**.
![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png)
14. Verify the configuration, then click **Next**.
![Image of Microsoft Endpoint Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png)
15. Click **Next**.
16. Click **Close**.
17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
Onboarding Package just created and select **Deploy**.
18. On the right panel select the appropriate collection.
19. Click **OK**.
Once completed, you should see onboarded endpoints in the portal within an hour.
## Next generation protection
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.