deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into tocideas

Browse Source
This commit is contained in:
Greg Lindsay 2020-04-09 17:37:26 -07:00
commit c0e23ee45d
157 changed files with 1633 additions and 915 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -1502,6 +1502,11 @@
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview",
"redirect_document_id": true

1
devices/hololens/TOC.md
View File

@ -65,7 +65,6 @@
## [Frequently asked security questions](hololens-faq-security.md)
## [Status of the HoloLens services](hololens-status.md)
## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb)
## [SCEP whitepaper](scep-whitepaper.md)
# [HoloLens release notes](hololens-release-notes.md)
# [Give us feedback](hololens-feedback.md)

2
devices/hololens/hololens-cortana.md
View File

@ -30,7 +30,7 @@ This article teaches you how to control HoloLens and your holographic world with
## Built-in voice commands
Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu.
Get around HoloLens faster with these basic commands. In order to use these, you need to enable Speech during the first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of the Start menu. For the best speech recognition results, HoloLens 2 uses the Microsoft cloud-based services. However, you can use Settings to disable this feature. To do this, in Settings, turn off **Online speech recognition**. After you change this setting, HoloLens 2 will only process voice data locally to recognize commands and dictation, and Cortana will not be available.
### General speech commands

4
devices/hololens/hololens-faq-security.md
View File

@ -73,8 +73,6 @@ appliesto:
1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client.
1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices.
1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
## HoloLens 2nd Gen Security Questions
@ -125,5 +123,3 @@ appliesto:
1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client.
1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices.
1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.

80
devices/hololens/scep-whitepaper.md
View File

@ -1,80 +0,0 @@
---
title: SCEP Whitepaper
description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP.
ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
author: pawinfie
ms.author: pawinfie
ms.date: 02/12/2020
keywords: hololens, Windows Mixed Reality, security
ms.prod: hololens
ms.sitesec: library
ms.topic: article
audience: ITPro
ms.localizationpriority: high
ms.custom:
- CI 111456
- CSSTroubleshooting
appliesto:
- HoloLens 1 (1st gen)
- HoloLens 2
---
# SCEP whitepaper
## High Level
### How the SCEP Challenge PW is secured
We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we've configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes.
We then pass that to the device and then the device generates it's CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected.
## Behind the scenes
### Intune Connector has a number of responsibilities
1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server.
1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS.
1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.**
>[!NOTE]
>The connector communication with Intune is strictly outbound traffic.
1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge. The challenge is generated in Intune itself.
1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period.
>[!NOTE]
>The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key. The device cannot decrypt the challenge
1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob.
1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device.
>[!NOTE]
>The above process takes place on the NDES server running the Policy Module. No interaction with the Intune cloud service takes place.
1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device. This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune.
1. The mobile device must be enrolled in Intune. If not, we reject the request as well
1. The Intune connector disables the standard NDES challenge password request URL on the NDES server.
1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5.
>[!NOTE]
>The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy.
1. The mobile device talks only to the NDES URI
1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet.
1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service.
>[!NOTE]
> if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out.
1. Connector traffic with Intune cloud service consists of the following operations:
1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup.
1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors' SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won't be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet.
1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications.

0
devices/surface-hub/images/sccm-additional.png → devices/surface-hub/images/configmgr-additional.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 36 KiB

0
devices/surface-hub/images/sccm-create.png → devices/surface-hub/images/configmgr-create.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 47 KiB

0
devices/surface-hub/images/sccm-oma-uri.png → devices/surface-hub/images/configmgr-oma-uri.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

0
devices/surface-hub/images/sccm-platform.png → devices/surface-hub/images/configmgr-platform.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 36 KiB

0
devices/surface-hub/images/sccm-team.png → devices/surface-hub/images/configmgr-team.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 37 KiB

After

Width:  |  Height:  |  Size: 37 KiB

14
devices/surface-hub/index.yml
View File

@ -25,17 +25,17 @@ highlightedContent:
# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
items:
# Card
- title: What is Surface Hub 2S?
itemType: overview
url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Behind-the-design-Surface-Hub-2S/ba-p/464099
- title: What's new in Surface Hub 2S?
itemType: whats-new
url: surface-hub-2s-whats-new.md
# Card
- title: Surface Hub security overview
itemType: learn
url: surface-hub-security.md
# Card
- title: What's new in Surface Hub 2S?
itemType: whats-new
url: surface-hub-2s-whats-new.md
# Card
- title: Manage Surface Hub 2S with Intune
itemType: how-to-guide
url: surface-hub-2s-manage-intune.md
# Card
- title: Operating system essentials
itemType: learn

110
devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
View File

@ -18,7 +18,7 @@ ms.localizationpriority: medium
Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx).
Surface Hub has been validated with Microsofts first-party MDM providers:
Surface Hub has been validated with Microsoft's first-party MDM providers:
- Microsoft Intune standalone
- On-premises MDM with Microsoft Endpoint Configuration Manager
@ -65,25 +65,25 @@ For more information, see [SurfaceHub configuration service provider](https://ms
| Maintenance hours | MaintenanceHoursSimple/Hours/StartTime <br> MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Friendly name for wireless projection | Properties/FriendlyName | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager | Yes |
| Friendly name for wireless projection | Properties/FriendlyName | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Device account, including password rotation | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set default volume | Properties/DefaultVolume | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set screen timeout | Properties/ScreenTimeout | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set session timeout | Properties/SessionTimeout | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set sleep timeout | Properties/SleepTimeout | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Set default volume | Properties/DefaultVolume | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Set screen timeout | Properties/ScreenTimeout | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Set session timeout | Properties/SessionTimeout | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Set sleep timeout | Properties/SleepTimeout | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@ -97,12 +97,12 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
|--------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> . | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> . | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@ -110,15 +110,15 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@ -126,13 +126,13 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@ -140,7 +140,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
|-------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Defender status | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | Yes | Yes | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@ -150,8 +150,8 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
|------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Reboot the device immediately | Use in conjunction with OMS to minimize support costs see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes |
| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@ -180,7 +180,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
|------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@ -188,7 +188,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
|-------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@ -196,12 +196,12 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
### Generate OMA URIs for settings
You need to use a settings OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager.
You need to use a setting's OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager.
**To generate the OMA URI for any setting in the CSP documentation**
1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/<name of CSP>` <br>
@ -217,15 +217,13 @@ The data type is also stated in the CSP documentation. The most common data type
- bool (Boolean)
<span id="example-intune">
## Example: Manage Surface Hub settings with Microsoft Intune
You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**.
<span id="example-sccm">
## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager
## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager
Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
> [!NOTE]
@ -238,26 +236,26 @@ Configuration Manager supports managing modern devices that do not require the C
3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
4. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**.
![example of UI](images/sccm-create.png)
![example of UI](images/configmgr-create.png)
5. On the **Supported Platforms** page, expand **Windows 10** and select **All Windows 10 Team and higher**. Unselect the other Windows platforms, and then click **Next**.
![select platform](images/sccm-platform.png)
![select platform](images/configmgr-platform.png)
7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**.
8. On the **Windows 10 Team** page, configure the settings you require.
![Windows 10 Team](images/sccm-team.png)
![Windows 10 Team](images/configmgr-team.png)
9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**.
![additional settings](images/sccm-additional.png)
![additional settings](images/configmgr-additional.png)
10. On the **Additional Settings** page, click **Add**.
11. In the **Browse Settings** dialog, click **Create Setting**.
12. In the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
13. Under **Setting type**, select **OMA URI**.
14. Complete the form to create a new setting, and then click **OK**.
![OMA URI setting](images/sccm-oma-uri.png)
![OMA URI setting](images/configmgr-oma-uri.png)
15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**.
16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**.
17. Repeat steps 9 to 15 for each custom setting you want to add to the configuration item.

20
devices/surface/index.yml
View File

@ -24,17 +24,18 @@ additionalContent:
- title: For IT Professionals # < 60 chars (optional)
items:
# Card
- title: Surface devices
- title: Surface devices documentation
summary: Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.
url: https://docs.microsoft.com/en-us/surface/get-started
# Card
- title: Surface Hub
summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices.
- title: Surface Hub documentation
summary: Learn how to deploy and manage Surface Hub 2S, the all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device.
url: https://docs.microsoft.com/surface-hub/index
# Card
- title: Surface for Business
summary: Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies.
url: https://www.microsoft.com/surface/business
# Card
- title: Surface Hub adoption guidance
summary: Get best practices for technical readiness and adoption across your lines of business.
url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit
- title: Other resources # < 60 chars (optional)
items:
# Card
@ -51,8 +52,7 @@ additionalContent:
url: https://docs.microsoft.com/learn/browse/?term=Surface
- text: Microsoft Mechanics Surface videos
url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
- text: Surface Hub 2S adoption and training
url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit
# Card
- title: Need help?
links:
@ -60,3 +60,5 @@ additionalContent:
url: https://support.microsoft.com/products/surface-devices
- text: Surface Hub
url: https://support.microsoft.com/hub/4343507/surface-hub-help
- text: Contact Surface Hub Support
url: https://support.microsoft.com/supportforbusiness/productselection?sapId=bb7066fb-e329-c1c0-9c13-8e9949c6a64e

48
devices/surface/surface-dock-firmware-update.md
View File

@ -1,5 +1,5 @@
---
title: Microsoft Surface Dock Firmware Update
title: Microsoft Surface Dock Firmware Update - Technical information for IT administrators
description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
ms.localizationpriority: medium
ms.prod: w10
@ -12,22 +12,31 @@ ms.reviewer: scottmca
manager: dansimp
ms.audience: itpro
---
# Microsoft Surface Dock Firmware Update
This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used.
# Microsoft Surface Dock Firmware Update: Technical information for IT administrators
> [!IMPORTANT]
>Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version.
> This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock)on the Microsoft Support site. The instructions at the support site are the same as the general installation steps below, but this article has additional information for monitoring, verifying, and deploying the update to multiple devices on a network.
This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
This tool supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. The earlier tool was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number) and is no longer available for download and should not be used.
## Install the Surface Dock Firmware Update
This section describes how to manually install the firmware update.
> [!NOTE]
> Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version.
1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703).
- The update requires a Surface device running Windows 10, version 1803 or later.
- Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update.
2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted.
## Monitor the Surface Dock Firmware Update
This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article:
- [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update)
- [Event logging](#event-logging)
- [Troubleshooting tips](#troubleshooting-tips)
- [Versions reference](#versions-reference)
This section is optional and provides an overview of how to monitor installation of the firmware update.
To monitor the update:
@ -39,7 +48,6 @@ To monitor the update:
Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters"
```
3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article.
4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**.
- If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current.
5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example:
@ -49,15 +57,11 @@ To monitor the update:
>[!TIP]
>If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored.
## Install the Surface Dock Firmware Update
This section describes how to install the firmware update.
1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703).
- The update requires a Surface device running Windows 10, version 1803 or later.
- Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update.
2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted.
Also see the following sections in this article:
- [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update)
- [Event logging](#event-logging)
- [Troubleshooting tips](#troubleshooting-tips)
- [Versions reference](#versions-reference)
## Network deployment

3
windows/application-management/app-v/appv-supported-configurations.md
View File

@ -51,12 +51,15 @@ The following table lists the SQL Server versions that the App-V Management data
|SQL Server version|Service pack|System architecture|
|---|---|---|
|Microsoft SQL Server 2019||32-bit or 64-bit|
|Microsoft SQL Server 2017||32-bit or 64-bit|
|Microsoft SQL Server 2016|SP2|32-bit or 64-bit|
|Microsoft SQL Server 2014||32-bit or 64-bit|
|Microsoft SQL Server 2012|SP2|32-bit or 64-bit|
|Microsoft SQL Server 2008 R2|SP3|32-bit or 64-bit|
For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f).
### Publishing server operating system requirements
The App-V Publishing server can be installed on a server that runs Windows Server 2008 R2 with SP1 or later.

3
windows/client-management/generate-kernel-or-complete-crash-dump.md
View File

@ -61,7 +61,7 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi
2. Select **Start**, and then select **Command Prompt**.
3. At the command line, run the following command:
```cmd
```console
notMyfault.exe /crash
```
@ -80,6 +80,7 @@ To do this, follow these steps:
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
1. In Registry Editor, locate the following registry subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl**
2. Right-click **CrashControl**, point to **New**, and then click **DWORD Value**.

42
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -9,7 +9,6 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
ms.date: 09/05/2017
---
# Azure Active Directory integration with MDM
@ -37,7 +36,8 @@ Windows 10 introduces a new way to configure and deploy corporate owned Windows
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD.
> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license.
> [!IMPORTANT]
> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license.
### BYOD scenario
@ -60,7 +60,8 @@ For Azure AD enrollment to work for an Active Directory Federated Services (AD F
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
> [!NOTE]
> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure AD integrated enrollment
@ -80,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
Its important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies).
Its important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
@ -103,7 +104,8 @@ A cloud-based MDM is a SaaS application that provides device management capabili
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
> [!NOTE]
> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs.
@ -136,7 +138,7 @@ For more information about how to register a sample application with Azure AD, s
An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use.
To add an on-premises MDM application to the tenant, there is an entry under the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
@ -236,7 +238,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
<thead>
<tr class="header">
<th>CXH-HOST (HTTP HEADER)</th>
<th>Senario</th>
<th>Scenario</th>
<th>Background Theme</th>
<th>WinJS</th>
<th>Scenario CSS</th>
@ -343,14 +345,14 @@ The following claims are expected in the access token passed by Windows to the T
</tbody>
</table>
&gt; <strong>Note</strong> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
> [!NOTE]
> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654).
Here's an example URL.
``` syntax
```console
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
@ -390,7 +392,7 @@ If an error was encountered during the terms of use processing, the MDM can retu
Here is the URL format:
``` syntax
```console
HTTP/1.1 302
Location:
<redirect_uri>?error=access_denied&error_description=Access%20is%20denied%2E
@ -426,7 +428,7 @@ The following table shows the error codes.
<td style="vertical-align:top"><p>unsupported version</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Tenant or user data are missingor other required prerequisites for device enrollment are not met</p></td>
<td style="vertical-align:top"><p>Tenant or user data are missing or other required prerequisites for device enrollment are not met</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
<td style="vertical-align:top"><p>unauthorized user or tenant</p></td>
@ -601,7 +603,7 @@ In this scenario, the MDM enrollment applies to a single user who initially adde
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
``` syntax
```console
Authorization:Bearer <Azure AD User Token Inserted here>
```
@ -621,7 +623,7 @@ Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is
An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
``` syntax
```xml
Alert Type: com.microsoft/MDM/AADUserToken
Alert sample:
@ -636,7 +638,7 @@ Alert sample:
<Data>UserToken inserted here</Data>
</Item>
</Alert>
… other xml tags …
… other XML tags …
</SyncBody>
```
@ -665,7 +667,7 @@ Here's an example.
<Data>user</Data>
</Item>
</Alert>
… other xml tags …
… other XML tags …
</SyncBody>
```
@ -682,9 +684,10 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it.
> **Note**  This is only applicable for approved MDM apps on Windows 10 devices.
> [!NOTE]
> This is only applicable for approved MDM apps on Windows 10 devices.
``` syntax
```console
Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
@ -713,7 +716,7 @@ Response:
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
![aadj unenerollment](images/azure-ad-unenrollment.png)
![aadj unenrollment](images/azure-ad-unenrollment.png)
## Error codes
@ -921,4 +924,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di

4
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 03/24/2020
ms.date: 04/07/2020
ms.reviewer:
manager: dansimp
@ -149,6 +149,8 @@ where:
The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- In this example, `Group1` and `Group2` are local groups on the device being configured.
> [!Note]
> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a local group as a member to another local group by using the member portion, as shown in the above example.
<!--/Example-->
<!--Validation-->

1
windows/client-management/mdm/policy-csp-start.md
View File

@ -1025,6 +1025,7 @@ To validate on Desktop, do the following:
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>

6
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -53,17 +53,17 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID
```
<Data>*S-1-5-32-544&#61440;*S-1-5-11</Data>
<Data>*S-1-5-32-544&#xF000;*S-1-5-11</Data>
```
- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings
```
<Data>*S-1-5-32-544&#61440;Authenticated Users</Data>
<Data>*S-1-5-32-544&#xF000;Authenticated Users</Data>
```
- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings
```
<Data>Authenticated Users&#61440;Administrators</Data>
<Data>Authenticated Users&#xF000;Administrators</Data>
```
- Empty input indicates that there are no users configured to have that user right

4
windows/client-management/mdm/reboot-csp.md
View File

@ -45,12 +45,16 @@ Setting a null (empty) date will delete the existing schedule. In accordance wit
<p style="margin-left: 20px">The supported operations are Get, Add, Replace, and Delete.</p>
<p style="margin-left: 20px">The supported data type is "String".</p>
<a href="" id="schedule-dailyrecurrent"></a>**Schedule/DailyRecurrent**
<p style="margin-left: 20px">This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. </br>
Example to configure: 2018-10-25T18:00:00</p>
<p style="margin-left: 20px">The supported operations are Get, Add, Replace, and Delete.</p>
<p style="margin-left: 20px">The supported data type is "String".</p>
## Related topics

1
windows/client-management/mdm/vpnv2-profile-xsd.md
View File

@ -175,6 +175,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
<xs:sequence>
<xs:element name="Address" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="PrefixSize" type="xs:unsignedByte" minOccurs="1" maxOccurs="1"/>
<xs:element name="ExclusionRoute" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>

0
windows/configuration/images/sccm-asset.PNG → windows/configuration/images/configmgr-asset.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 91 KiB

After

Width:  |  Height:  |  Size: 91 KiB

0
windows/configuration/images/sccm-assets.PNG → windows/configuration/images/configmgr-assets.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 131 KiB

After

Width:  |  Height:  |  Size: 131 KiB

0
windows/configuration/images/sccm-client.PNG → windows/configuration/images/configmgr-client.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 97 KiB

After

Width:  |  Height:  |  Size: 97 KiB

0
windows/configuration/images/sccm-collection.PNG → windows/configuration/images/configmgr-collection.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 38 KiB

0
windows/configuration/images/sccm-install-os.PNG → windows/configuration/images/configmgr-install-os.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 71 KiB

After

Width:  |  Height:  |  Size: 71 KiB

0
windows/configuration/images/sccm-post-refresh.PNG → windows/configuration/images/configmgr-post-refresh.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 385 KiB

After

Width:  |  Height:  |  Size: 385 KiB

0
windows/configuration/images/sccm-pxe.PNG → windows/configuration/images/configmgr-pxe.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 32 KiB

0
windows/configuration/images/sccm-site.PNG → windows/configuration/images/configmgr-site.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 41 KiB

After

Width:  |  Height:  |  Size: 41 KiB

0
windows/configuration/images/sccm-software-cntr.PNG → windows/configuration/images/configmgr-software-cntr.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

0
windows/deployment/images/sccm-asset.PNG → windows/deployment/images/configmgr-asset.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 91 KiB

After

Width:  |  Height:  |  Size: 91 KiB

0
windows/deployment/images/sccm-assets.PNG → windows/deployment/images/configmgr-assets.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 141 KiB

After

Width:  |  Height:  |  Size: 141 KiB

0
windows/deployment/images/sccm-client.PNG → windows/deployment/images/configmgr-client.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 97 KiB

After

Width:  |  Height:  |  Size: 97 KiB

0
windows/deployment/images/sccm-collection.PNG → windows/deployment/images/configmgr-collection.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 38 KiB

0
windows/deployment/images/sccm-install-os.PNG → windows/deployment/images/configmgr-install-os.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 71 KiB

After

Width:  |  Height:  |  Size: 71 KiB

0
windows/deployment/images/sccm-post-refresh.PNG → windows/deployment/images/configmgr-post-refresh.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 385 KiB

After

Width:  |  Height:  |  Size: 385 KiB

0
windows/deployment/images/sccm-pxe.PNG → windows/deployment/images/configmgr-pxe.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 32 KiB

0
windows/deployment/images/sccm-site.PNG → windows/deployment/images/configmgr-site.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 41 KiB

After

Width:  |  Height:  |  Size: 41 KiB

0
windows/deployment/images/sccm-software-cntr.PNG → windows/deployment/images/configmgr-software-cntr.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

6
windows/deployment/planning/windows-10-deprecated-features.md
View File

@ -21,7 +21,8 @@ The features described below are no longer being actively developed, and might b
**The following list is subject to change and might not include every affected feature or functionality.**
>If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
> [!NOTE]
> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
@ -47,7 +48,6 @@ The features described below are no longer being actively developed, and might b
|Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**<br>&nbsp;<br>The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
|IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
@ -63,4 +63,4 @@ The features described below are no longer being actively developed, and might b
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](https://docs.microsoft.com/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](https://docs.microsoft.com/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
|IPsec Task Offload| [IPsec Task Offload](https://docs.microsoft.com/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quite switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019 as well.|
|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019 as well.|

7
windows/deployment/planning/windows-10-removed-features.md
View File

@ -18,7 +18,7 @@ ms.topic: article
Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10. **The list below is subject to change and might not include every affected feature or functionality.**
For information about features that might be removed in a future release, see [Windows 10 features were no longer developing](windows-10-deprecated-features.md)
For information about features that might be removed in a future release, see [Windows 10 features were no longer developing](windows-10-deprecated-features.md).
> [!NOTE]
> Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
@ -50,12 +50,13 @@ The following features and functionalities have been removed from the installed
|Reading List | Functionality to be integrated into Microsoft Edge. | 1709 |
|Screen saver functionality in Themes | This functionality is disabled in Themes, and classified as **Removed** in this table. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Syskey.exe | Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). | 1709 |
|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193).| 1709 |
|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| 1709 |
|Tile Data Layer |To be replaced by the Tile Store.| 1709 |
|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
|Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 |
|By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 |
|Interactive Service Detection Service| See [Interactive Services](https://docs.microsoft.com/windows/win32/services/interactive-services?redirectedfrom=MSDN) for guidance on how to keep software up to date. | 1703 |
|Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 |
|NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 |
|Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 |
|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |

2
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -19,7 +19,7 @@ ms.topic: article
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
You can [**download the script here**](https://github.com/cinglis-msft/UpdateComplianceConfigurationScript). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
## How the script is organized

7
windows/deployment/update/update-compliance-monitor.md
View File

@ -19,9 +19,8 @@ ms.topic: article
> [!IMPORTANT]
> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
>
> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance was retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
> * The Perspectives feature of Update Compliance was retired on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
> As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
> * As of March 31, 2020, The Perspectives feature of Update Compliance is no longer supported and will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
## Introduction
@ -33,7 +32,7 @@ Update Compliance enables organizations to:
Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).
Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal).
Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:

2
windows/deployment/update/update-compliance-schema-wudostatus.md
View File

@ -36,7 +36,7 @@ These fields are briefly described in this article, to learn more about Delivery
|**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. |
|**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. |
|**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. |
|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode)**@JAIME** configuration for this content. |
|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this content. |
|**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded. |
|**DOStatusDescription** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |A short description of DO's status, if any. |
|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. |

2
windows/deployment/update/waas-delivery-optimization-reference.md
View File

@ -135,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
- 4 = DNS Suffix
- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored.
When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
### Minimum RAM (inclusive) allowed to use Peer Caching

159
windows/deployment/volume-activation/install-vamt.md
View File

@ -1,79 +1,80 @@
---
title: Install VAMT (Windows 10)
description: Install VAMT
ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 03/11/2019
ms.topic: article
---
# Install VAMT
This topic describes how to install the Volume Activation Management Tool (VAMT).
## Install VAMT
You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
>[!IMPORTANT]
>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
>[!NOTE]
>The VAMT Microsoft Management Console snap-in ships as an x86 package.
### Requirements
- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042)
- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express)
- alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP
### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer
1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
2. Select **Basic**.
3. Accept the license terms.
4. Enter an install location or use the default path, and then select **Install**.
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
### Install VAMT using the ADK
1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package.
Reminder: There won't be new ADK release for 1909.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
6. On the completion page, select **Close**.
### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server
1. Open **Volume Active Management Tool 3.1** from the Start menu.
2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
for remote SQL Server use
servername.yourdomain.com
## Uninstall VAMT
To uninstall VAMT using the **Programs and Features** Control Panel:
1. Open **Control Panel** and select **Programs and Features**.
2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
---
title: Install VAMT (Windows 10)
description: Install VAMT
ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 03/11/2019
ms.topic: article
---
# Install VAMT
This topic describes how to install the Volume Activation Management Tool (VAMT).
## Install VAMT
You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
>[!IMPORTANT]
>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
>[!NOTE]
>The VAMT Microsoft Management Console snap-in ships as an x86 package.
### Requirements
- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042)
- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
- Alternatively, any supported **full** SQL instance
### Install SQL Server Express / alternatively use any full SQL instance
1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
2. Select **Basic**.
3. Accept the license terms.
4. Enter an install location or use the default path, and then select **Install**.
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
### Install VAMT using the ADK
1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package.
Reminder: There won't be new ADK release for 1909.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
6. On the completion page, select **Close**.
### Configure VAMT to connect to SQL Server Express or full SQL Server
1. Open **Volume Active Management Tool 3.1** from the Start menu.
2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
for remote SQL Server use
servername.yourdomain.com
## Uninstall VAMT
To uninstall VAMT using the **Programs and Features** Control Panel:
1. Open **Control Panel** and select **Programs and Features**.
2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.

34
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -108,11 +108,11 @@ Topics and procedures in this guide are summarized in the following table. An es
5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
```
New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound Protocol TCP LocalPort 1433 -Action allow
New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound Protocol TCP LocalPort 1434 -Action allow
New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound Protocol UDP LocalPort 1434 -Action allow
New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound Protocol TCP LocalPort 4022 -Action allow
New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound Protocol TCP LocalPort 135 -Action allow
New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound Protocol TCP LocalPort 1433 -Action allow
New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound Protocol TCP LocalPort 1434 -Action allow
New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound Protocol UDP LocalPort 1434 -Action allow
New-NetFirewallRule -DisplayName "SQL Service Broker" -Direction Inbound Protocol TCP LocalPort 4022 -Action allow
New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound Protocol TCP LocalPort 135 -Action allow
```
7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
@ -123,7 +123,7 @@ Topics and procedures in this guide are summarized in the following table. An es
```
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
Stop-Process -Name Explorer
```
@ -207,7 +207,7 @@ Topics and procedures in this guide are summarized in the following table. An es
19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
```
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
Stop-Process -Name Explorer
```
@ -326,7 +326,7 @@ WDSUTIL /Set-Server /AnswerClients:None
See the following example:
<img src="images/sccm-pxe.png" alt="Config Mgr PXE"/>
<img src="images/configmgr-pxe.png" alt="Config Mgr PXE"/>
5. Click **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
@ -387,7 +387,7 @@ WDSUTIL /Set-Server /AnswerClients:None
In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
```
STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
```
11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
@ -847,7 +847,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
6. When a popup dialog box asks if you want to run full discovery, click **Yes**.
7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
![assets](images/sccm-assets.png)
![assets](images/configmgr-assets.png)
>If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console.
@ -900,7 +900,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
![site](images/sccm-site.png)
![site](images/configmgr-site.png)
If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
@ -908,7 +908,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
![client](images/sccm-client.png)
![client](images/configmgr-client.png)
>It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
@ -970,7 +970,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example:
![collection](images/sccm-collection.png)
![collection](images/configmgr-collection.png)
### Create a device collection for PC1
@ -1018,7 +1018,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example:
![software](images/sccm-software-cntr.png)
![software](images/configmgr-software-cntr.png)
>If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
@ -1056,17 +1056,17 @@ In the Configuration Manager console, in the Software Library workspace under Op
3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
![installOS](images/sccm-install-os.png)
![installOS](images/configmgr-install-os.png)
The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example:
![asset](images/sccm-asset.png)
![asset](images/configmgr-asset.png)
You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
![post-refresh](images/sccm-post-refresh.png)
![post-refresh](images/configmgr-post-refresh.png)

28
windows/deployment/windows-autopilot/autopilot-support.md
View File

@ -10,7 +10,6 @@ ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.date: 10/31/2018
ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
@ -25,19 +24,14 @@ The following table displays support information for the Windows Autopilot progr
Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md).
| Audience | Support contact |
|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if youre a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. |
| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority: <br>Low 120 hours <br>Normal 72 hours <br>High 24 hours <br>Immediate 4 hours |
| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether youre a CSP or not), you may first try working through your accounts specific Partner Technology Strategist (PTS). |
| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether youre a CSP or not), you may first try working through your accounts specific Ecosystem PM, especially for technical issues. To learn more about Ecosystem PMs and the services they offer, contact epsoinfo@microsoft.com. |
| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. |
| End-user | Contact your IT administrator. |
| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. |
| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. |
| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). |
| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. |
| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. |
| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. |
| Audience | Support contact |
|------------|---------------------------------------|
| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if youre a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. |
| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority: <br>Low 120 hours <br>Normal 72 hours <br>High 24 hours <br>Immediate 4 hours |
| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. |
| End-user | Contact your IT administrator. |
| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. |
| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. |
| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). |
| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. |
| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. |

3
windows/security/identity-protection/TOC.md
View File

@ -71,4 +71,5 @@
### [VPN security features](vpn\vpn-security-features.md)
### [VPN profile options](vpn\vpn-profile-options.md)
### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md)
### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
### [Optimizing Office 365 traffic with the Windows 10 VPN client](vpn\vpn-office-365-optimization.md)

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
View File

@ -37,7 +37,7 @@ You are ready to configure device registration for your hybrid environment. Hybr
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/)
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/).
Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -329,7 +329,7 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri
If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies do.
Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) do.
If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.

676
windows/security/identity-protection/vpn/vpn-office-365-optimization.md Normal file
View File

@ -0,0 +1,676 @@
---
title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
audience: ITPro
ms.topic: article
author: kelleyvice-msft
ms.localizationpriority: medium
ms.date: 04/07/2020
ms.reviewer:
manager: dansimp
ms.author: jajo
---
# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client
This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.
This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users.
> [!NOTE]
> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration).
## Solution Overview
The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files).
Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune).
To enable the use of force tunneling in Windows 10 VPN, the `<RoutingPolicyType>` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `<NativeProfile></NativeProfile>` section:
```xml
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
```
In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `<NativeProfile></NativeProfile>` section as follows:
```xml
<Route>
<Address>[IP addresses or subnet]</Address>
<PrefixSize>[IP Prefix]</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
```
Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `<Route></Route>` section for each required exclusion.
An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below:
```xml
<VPNProfile>
<NativeProfile>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
</NativeProfile>
<Route>
<Address>203.0.113.0</Address>
<PrefixSize>24</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>198.51.100.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
</VPNProfile>
```
> [!NOTE]
> The IP addresses and prefix size values in this example are used purely as examples only and should not be used.
## Solution Deployment
For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling.
This can be achieved manually by adding the IP addresses defined within the *optimize* category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used.
An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below.
```powershell
# Copyright (c) Microsoft Corporation. All rights reserved.
#
# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN
# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER.
<#
.SYNOPSIS
Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile
.DESCRIPTION
Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges
Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file)
Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name
.PARAMETERS
Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format
.NOTES
Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later
.VERSION
1.0
#>
param (
[string]$VPNprofilefile
)
$usage=@"
This script uses the following parameters:
VPNprofilefile - The full path and name of the VPN profile PowerShell script or XML file
EXAMPLES
To check a VPN profile PowerShell script file:
Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF POWERSHELL SCRIPT FILE]
To check a VPN profile XML file:
Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE]
"@
# Check if filename has been provided #
if ($VPNprofilefile -eq "")
{
Write-Host "`nWARNING: You must specify either a PowerShell script or XML filename!" -ForegroundColor Red
$usage
exit
}
$FileExtension = [System.IO.Path]::GetExtension($VPNprofilefile)
# Check if XML file exists and is a valid XML file #
if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
{
if ( Test-Path $VPNprofilefile )
{
$xml = New-Object System.Xml.XmlDocument
try
{
$xml.Load((Get-ChildItem -Path $VPNprofilefile).FullName)
}
catch [System.Xml.XmlException]
{
Write-Verbose "$VPNprofilefile : $($_.toString())"
Write-Host "`nWARNING: The VPN profile XML file is not a valid xml file or incorrectly formatted!" -ForegroundColor Red
$usage
exit
}
}else
{
Write-Host "`nWARNING: VPN profile XML file does not exist or cannot be found!" -ForegroundColor Red
$usage
exit
}
}
# Check if VPN profile PowerShell script file exists and contains a VPNPROFILE XML section #
if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1")
{
if ( (Test-Path $VPNprofilefile) )
{
if (-Not $(Select-String -Path $VPNprofilefile -Pattern "<VPNPROFILE>") )
{
Write-Host "`nWARNING: PowerShell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red
$usage
exit
}
}else
{
Write-Host "`nWARNING: PowerShell script file does not exist or cannot be found!"-ForegroundColor Red
$usage
exit
}
}
# Define Office 365 endpoints and service URLs #
$ws = "https://endpoints.office.com"
$baseServiceUrl = "https://endpoints.office.com"
# Path where client ID and latest version number will be stored #
$datapath = $Env:TEMP + "\endpoints_clientid_latestversion.txt"
# Fetch client ID and version if data file exists; otherwise create new file #
if (Test-Path $datapath)
{
$content = Get-Content $datapath
$clientRequestId = $content[0]
$lastVersion = $content[1]
}else
{
$clientRequestId = [GUID]::NewGuid().Guid
$lastVersion = "0000000000"
@($clientRequestId, $lastVersion) | Out-File $datapath
}
# Call version method to check the latest version, and pull new data if version number is different #
$version = Invoke-RestMethod -Uri ($ws + "/version?clientRequestId=" + $clientRequestId)
if ($version[0].latest -gt $lastVersion)
{
Write-Host
Write-Host "A new version of Office 365 worldwide commercial service instance endpoints has been detected!" -ForegroundColor Cyan
# Write the new version number to the data file #
@($clientRequestId, $version[0].latest) | Out-File $datapath
}
# Invoke endpoints method to get the new data #
$uri = "$baseServiceUrl" + "/endpoints/worldwide?clientRequestId=$clientRequestId"
# Invoke endpoints method to get the data for the VPN profile comparison #
$endpointSets = Invoke-RestMethod -Uri ($uri)
$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" }
$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique
# Temporarily include additional IP address until Teams client update is released
$optimizeIpsv4 += "13.107.60.1/32"
# Process PowerShell script file start #
if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1")
{
Write-host "`nStarting PowerShell script exclusion route check...`n" -ForegroundColor Cyan
# Clear Variables to allow re-run testing #
$ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file #
$In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimize list #
$In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile PowerShell file #
# Extract the Profile XML from the ps1 file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with the optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
[xml]$VPNprofilexml="<VPNPROFILE>"+$xmlbody+"</VPNPROFILE>"
# Loop through each address found in VPNPROFILE XML section #
foreach ($Route in $VPNprofilexml.VPNProfile.Route)
{
$VPNIP=$Route.Address+"/"+$Route.PrefixSize
[array]$ARRVPN=$ARRVPN+$VPNIP
}
# In optimize address list only #
$In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_}
# In VPN list only #
$In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_}
[array]$Inpfile = get-content $VPNprofilefile
if ($In_Opt_Only.Count -gt 0 )
{
Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red
[int32]$insline=0
for ($i=0; $i -lt $Inpfile.count; $i++)
{
if ($Inpfile[$i] -match "</NativeProfile>")
{
$insline += $i # Record the position of the line after the NativeProfile section ends #
}
}
$OFS = "`r`n"
foreach ($NewIP in $In_Opt_Only)
{
# Add the missing IP address(es) #
$IPInfo=$NewIP.Split("/")
$InpFile[$insline] += $OFS+" <Route>"
$InpFile[$insline] += $OFS+" <Address>"+$IPInfo[0].Trim()+"</Address>"
$InpFile[$insline] += $OFS+" <PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>"
$InpFile[$insline] += $OFS+" <ExclusionRoute>true</ExclusionRoute>"
$InpFile[$insline] += $OFS+" </Route>"
}
# Update fileName and write new PowerShell file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.ps1"
$OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName
$InpFile | Set-Content $OutFile
Write-Host "Exclusion routes have been added to VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green
}else
{
Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green
$OutFile=$VPNprofilefile
}
if ( $In_VPN_Only.Count -gt 0 )
{
Write-Host "Unknown exclusion route IP addresses have been found in the VPN profile`n" -ForegroundColor Yellow
foreach ($OldIP in $In_VPN_Only)
{
[array]$Inpfile = get-content $Outfile
$IPInfo=$OldIP.Split("/")
Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow
$matchstr="<Address>"+$IPInfo[0].Trim()+"</Address>"
$DelAns=Read-host
if ($DelAns.ToUpper() -eq "Y")
{
[int32]$insline=0
for ($i=0; $i -lt $Inpfile.count; $i++)
{
if ($Inpfile[$i] -match $matchstr)
{
$insline += $i # Record the position of the line for the string match #
}
}
# Remove entries from XML #
$InpFile[$insline-1]="REMOVETHISLINE"
$InpFile[$insline]="REMOVETHISLINE"
$InpFile[$insline+1]="REMOVETHISLINE"
$InpFile[$insline+2]="REMOVETHISLINE"
$InpFile[$insline+3]="REMOVETHISLINE"
$InpFile=$InpFile | Where-Object {$_ -ne "REMOVETHISLINE"}
# Update filename and write new PowerShell file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml"
$OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName
$Inpfile | Set-content $OutFile
Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green
}else
{
Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green
}
}
}
}
# Process XML file start #
if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
{
Write-host "`nStarting XML file exclusion route check...`n" -ForegroundColor Cyan
# Clear variables to allow re-run testing #
$ARRVPN=$null # Array to hold VPN addresses from the XML file #
$In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimize list #
$In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file #
# Extract the Profile XML from the XML file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
[xml]$VPNRulesxml="$xmlbody"
# Loop through each address found in VPNPROFILE file #
foreach ($Route in $VPNRulesxml.VPNProfile.Route)
{
$VPNIP=$Route.Address+"/"+$Route.PrefixSize
[array]$ARRVPN=$ARRVPN+$VPNIP
}
# In optimize address list only #
$In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_}
# In VPN list only #
$In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_}
[array]$Inpfile = get-content $VPNprofilefile
if ($In_Opt_Only.Count -gt 0 )
{
Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red
foreach ($NewIP in $In_Opt_Only)
{
# Add the missing IP address(es) #
$IPInfo=$NewIP.Split("/")
$inspoint = $Inpfile[0].IndexOf("</VPNProfile")
$routes += "<Route>"+"<Address>"+$IPInfo[0].Trim()+"</Address>"+"<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>"+"<ExclusionRoute>true</ExclusionRoute>"+"</Route>"
}
$Inpfile = $Inpfile[0].Insert($inspoint,$routes)
# Update filename and write new XML file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml"
$OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName
$InpFile | Set-Content $OutFile
Write-Host "Exclusion routes have been added to VPN profile and output to a separate XML file; the original file has not been modified`n`n" -ForegroundColor Green
}else
{
Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green
$OutFile=$VPNprofilefile
}
if ( $In_VPN_Only.Count -gt 0 )
{
Write-Host "Unknown exclusion route IP addresses found in the VPN profile`n" -ForegroundColor Yellow
foreach ($OldIP in $In_VPN_Only)
{
[array]$Inpfile = get-content $OutFile
$IPInfo=$OldIP.Split("/")
Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow
$matchstr="<Route>"+"<Address>"+$IPInfo[0].Trim()+"</Address>"+"<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>"+"<ExclusionRoute>true</ExclusionRoute>"+"</Route>"
$DelAns=Read-host
if ($DelAns.ToUpper() -eq "Y")
{
# Remove unknown IP address(es) #
$inspoint = $Inpfile[0].IndexOf($matchstr)
$Inpfile[0] = $Inpfile[0].Replace($matchstr,"")
# Update filename and write new XML file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml"
$OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName
$Inpfile | Set-content $OutFile
Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate XML file; the original file has not been modified`n" -ForegroundColor Green
}else
{
Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green
}
}
}
}
```
## Version Support
This solution is supported with the following versions of Windows:
- Windows 10 1903/1909 and newer: Included, no action needed
- Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481)
- Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437)
- Windows 10 1709 and lower: Exclusion routes are not supported
- Windows 10 Enterprise 2019 LTSC: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481)
- Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported
- Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported
Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied.
## Other Considerations
You should also be able to adapt this approach to include necessary exclusions for other cloud-services that can be defined by known/static IP addresses; exclusions required for [Cisco WebEx](https://help.webex.com/WBX000028782/Network-Requirements-for-Webex-Teams-Services) or [Zoom](https://support.zoom.us/hc/en-us/articles/201362683) are good examples.
## Examples
An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script:
```powershell
# Copyright (c) Microsoft Corporation. All rights reserved.
#
# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN
# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER.
<#
.SYNOPSIS
Configures an AlwaysOn IKEv2 VPN Connection using a basic script
.DESCRIPTION
Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunneling
.PARAMETERS
Parameters are defined in a ProfileXML object within the script itself
.NOTES
Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later
.VERSION
1.0
#>
<#-- Define Key VPN Profile Parameters --#>
$ProfileName = 'Contoso VPN with Office 365 Exclusions'
$ProfileNameEscaped = $ProfileName -replace ' ', '%20'
<#-- Define VPN ProfileXML --#>
$ProfileXML = '<VPNProfile>
<RememberCredentials>true</RememberCredentials>
<DnsSuffix>corp.contoso.com</DnsSuffix>
<AlwaysOn>true</AlwaysOn>
<TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection>
<NativeProfile>
<Servers>edge1.contoso.com</Servers>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
<MachineMethod>Certificate</MachineMethod>
</Authentication>
</NativeProfile>
<Route>
<Address>13.107.6.152</Address>
<PrefixSize>31</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.18.10</Address>
<PrefixSize>31</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.128.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>23.103.160.0</Address>
<PrefixSize>20</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>40.96.0.0</Address>
<PrefixSize>13</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>40.104.0.0</Address>
<PrefixSize>15</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>52.96.0.0</Address>
<PrefixSize>14</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>131.253.33.215</Address>
<PrefixSize>32</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>132.245.0.0</Address>
<PrefixSize>16</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>150.171.32.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>191.234.140.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>204.79.197.215</Address>
<PrefixSize>32</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.136.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>40.108.128.0</Address>
<PrefixSize>17</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>52.104.0.0</Address>
<PrefixSize>14</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>104.146.128.0</Address>
<PrefixSize>17</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>150.171.40.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.60.1</Address>
<PrefixSize>32</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.64.0</Address>
<PrefixSize>18</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>52.112.0.0</Address>
<PrefixSize>14</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>52.120.0.0</Address>
<PrefixSize>14</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Proxy>
<AutoConfigUrl>http://webproxy.corp.contsoso.com/proxy.pac</AutoConfigUrl>
</Proxy>
</VPNProfile>'
<#-- Convert ProfileXML to Escaped Format --#>
$ProfileXML = $ProfileXML -replace '<', '&lt;'
$ProfileXML = $ProfileXML -replace '>', '&gt;'
$ProfileXML = $ProfileXML -replace '"', '&quot;'
<#-- Define WMI-to-CSP Bridge Properties --#>
$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"
<#-- Define WMI Session --#>
$session = New-CimSession
<#-- Detect and Delete Previous VPN Profile --#>
try
{
$deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options)
foreach ($deleteInstance in $deleteInstances)
{
$InstanceId = $deleteInstance.InstanceID
if ("$InstanceId" -eq "$ProfileNameEscaped")
{
$session.DeleteInstance($namespaceName, $deleteInstance, $options)
$Message = "Removed $ProfileName profile $InstanceId"
Write-Host "$Message"
} else {
$Message = "Ignoring existing VPN profile $InstanceId"
Write-Host "$Message"
}
}
}
catch [Exception]
{
$Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_"
Write-Host "$Message"
exit
}
<#-- Create VPN Profile --#>
try
{
$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
$newInstance.CimInstanceProperties.Add($property)
$session.CreateInstance($namespaceName, $newInstance, $options)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
Write-Host "$ProfileName profile summary:"
$session.EnumerateInstances($namespaceName, $className, $options)
}
catch [Exception]
{
$Message = "Unable to create $ProfileName profile: $_"
Write-Host "$Message"
exit
}
$Message = "Script Complete"
Write-Host "$Message"
```
An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file.
>[!NOTE]
>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace.
```xml
<VPNProfile><RememberCredentials>true</RememberCredentials><DnsSuffix>corp.contoso.com</DnsSuffix><AlwaysOn>true</AlwaysOn><TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection><NativeProfile><Servers>edge1.contoso.com</Servers><RoutingPolicyType>ForceTunnel</RoutingPolicyType><NativeProtocolType>IKEv2</NativeProtocolType><Authentication><MachineMethod>Certificate</MachineMethod></Authentication></NativeProfile><Route><Address>13.107.6.152</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.18.10</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.128.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>23.103.160.0</Address><PrefixSize>20</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.96.0.0</Address><PrefixSize>13</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.104.0.0</Address><PrefixSize>15</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.96.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>131.253.33.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>132.245.0.0</Address><PrefixSize>16</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.32.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>191.234.140.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>204.79.197.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.136.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.108.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.104.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>104.146.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.40.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.60.1</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.64.0</Address><PrefixSize>18</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.112.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.120.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Proxy><AutoConfigUrl>http://webproxy.corp.contsoso.com/proxy.pac</AutoConfigUrl></Proxy></VPNProfile>
```

6
windows/security/information-protection/TOC.md
View File

@ -38,7 +38,7 @@
## [Encrypted Hard Drive](encrypted-hard-drive.md)
## [Kernel DMA Protection for Thunderbolt 3](kernel-dma-protection-for-thunderbolt.md)
## [Kernel DMA Protection for Thunderbolt&trade; 3](kernel-dma-protection-for-thunderbolt.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
@ -47,8 +47,8 @@
##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-configmgr.md)
#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-configmgr.md)
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md)

4
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -80,7 +80,9 @@ The server side configuration to enable Network Unlock also requires provisionin
1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration.
2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address.
3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
3. The client computer broadcasts a vendor-specific DHCP request that contains:
1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
2. An AES-256 session key for the reply.
4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
5. The provider decrypts it with the WDS servers BitLocker Network Unlock certificate RSA private key.
6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key.

0
windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg → windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 125 KiB

After

Width:  |  Height:  |  Size: 125 KiB

4
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -111,7 +111,7 @@ list volume
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/sccm-imageconfig.jpg)
![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg)
#### Step 2: Verify the status of WinRE
@ -171,7 +171,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
You receive an error message that resembles the following:
> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable SecureBoot could not be read. A required privilege is not held by the client.
> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
### Cause

18
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -23,12 +23,12 @@ ms.reviewer:
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
If you dont already have an EFS DRA certificate, youll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, well use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>[!IMPORTANT]
>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<br><br>If your DRA certificate has expired, you wont be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<br><br>If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
## Manually create an EFS DRA certificate
@ -47,16 +47,16 @@ The recovery process included in this topic only works for desktop devices. WIP
>[!Important]
>Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md).
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md).
> [!NOTE]
> This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM).
## Verify your data recovery certificate is correctly set up on a WIP client computer
1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so its encrypted by WIP.
1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it's encrypted by WIP.
2. Open an app on your protected app list, and then create and save a file so that its encrypted by WIP.
2. Open an app on your protected app list, and then create and save a file so that it's encrypted by WIP.
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
@ -89,7 +89,7 @@ It's possible that you might revoke data from an unenrolled device only to later
<code>Robocopy "%localappdata%\Microsoft\EDP\Recovery" "<i>new_location</i>" * /EFSRAW</code>
Where "*new_location*" is in a different directory. This can be on the employees device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
@ -109,12 +109,12 @@ It's possible that you might revoke data from an unenrolled device only to later
4. Ask the employee to lock and unlock the device.
The Windows Credential service automatically recovers the employees previously revoked keys from the `Recovery\Input` location.
The Windows Credential service automatically recovers the employee's previously revoked keys from the `Recovery\Input` location.
## Auto-recovery of encryption keys
Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment.
To help make sure employees can always access files, WIP creates an auto-recovery key thats backed up to their Azure Active Directory (Azure AD) identity.
To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity.
The employee experience is based on sign in with an Azure AD work account. The employee can either:
@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)

104
windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md → windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
View File

@ -25,10 +25,10 @@ ms.date: 01/09/2020
- Windows 10 Mobile, version 1607 and later
- Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
## Add a WIP policy
After youve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
>[!TIP]
> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues.
@ -37,16 +37,16 @@ After youve installed and set up Configuration Manager for your organization,
1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png)
2. Click the **Create Configuration Item** button.<p>
The **Create Configuration Item Wizard** starts.
![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-sccm-generalscreen.png)
![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**.
- **Settings for devices managed with the Configuration Manager client:** Windows 10
@ -56,25 +56,25 @@ The **Create Configuration Item Wizard** starts.
5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png)
![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png)
6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png)
![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png)
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
## Add app rules to your policy
During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!IMPORTANT]
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
**To add a store app**
@ -82,13 +82,13 @@ For this example, were going to add Microsoft OneNote, a store app, to the **
The **Add app rule** box appears.
![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png)
![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Microsoft OneNote*.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Store App** from the **Rule template** drop-down list.
@ -122,7 +122,7 @@ If you don't know the publisher or product name, you can find them for both desk
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
> [!IMPORTANT]
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.<p>For example:<p>
> ```json
> {
> "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
@ -150,7 +150,7 @@ If you don't know the publisher or product name, you can find them for both desk
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
> [!IMPORTANT]
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.
> For example:<p>
> ```json
> {
@ -159,20 +159,20 @@ If you don't know the publisher or product name, you can find them for both desk
> ```
### Add a desktop app rule to your policy
For this example, were going to add Internet Explorer, a desktop app, to the **App Rules** list.
For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app to your policy**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png)
![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Internet Explorer*.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
@ -186,7 +186,7 @@ For this example, were going to add Internet Explorer, a desktop app, to the
<th>Manages</th>
</tr>
<tr>
<td>All fields left as “*”</td>
<td>All fields left as "*"</td>
<td>All files signed by any publisher. (Not recommended.)</td>
</tr>
<tr>
@ -215,7 +215,7 @@ For this example, were going to add Internet Explorer, a desktop app, to the
</tr>
</table>
If youre unsure about what to include for the publisher, you can run this PowerShell command:
If you're unsure about what to include for the publisher, you can run this PowerShell command:
```ps1
Get-AppLockerFileInformation -Path "<path of the exe>"
@ -232,7 +232,7 @@ Path Publisher
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
### Add an AppLocker policy file
For this example, were going to add an AppLocker XML file to the **App Rules** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create an app rule and xml file using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
@ -257,7 +257,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Photos.
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
@ -277,7 +277,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
The policy is saved and you'll see a message that says 1 rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Photos.
@ -299,7 +299,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
</RuleCollection>
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager.
12. After you've created your XML file, you need to import it by using Configuration Manager.
**To import your Applocker policy file app rule using Configuration Manager**
@ -307,13 +307,13 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
The **Add app rule** box appears.
![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png)
![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Allowed app list*.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
@ -332,13 +332,13 @@ If you're running into compatibility issues where your app is incompatible with
The **Add app rule** box appears.
2. Add a friendly name for your app into the **Title** box. In this example, its *Exempt apps list*.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*.
3. Click **Exempt** from the **Windows Information Protection mode** drop-down list.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
4. Fill out the rest of the app rule info, based on the type of rule youre adding:
4. Fill out the rest of the app rule info, based on the type of rule you're adding:
- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
@ -360,13 +360,13 @@ We recommend that you start with **Silent** or **Override** while verifying with
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.|
![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png)
![Create Configuration Item wizard, choose your WIP-protection level](images/wip-configmgr-appmgmt.png)
## Define your enterprise-managed identity domains
Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
@ -374,16 +374,16 @@ You can specify multiple domains owned by your enterprise by separating them wit
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png)
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png)
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>[!IMPORTANT]
>Every WIP policy should include policy that defines your enterprise network locations.<br>
>Classless Inter-Domain Routing (CIDR) notation isnt supported for WIP configurations.
>Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
**To define where your protected apps can find and send enterprise data on you network**
@ -393,7 +393,7 @@ There are no default locations included with WIP, you must add each of your netw
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png)
![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png)
<table>
<tr>
@ -404,7 +404,7 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Enterprise Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you dont use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
@ -414,12 +414,12 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Proxy servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td>
</tr>
<tr>
<td>Internal proxy servers</td>
<td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
<td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td><br/> </tr>
<td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td><br/> </tr>
<tr>
<td>Enterprise IPv4 Range (Required)</td>
<td><strong>Starting IPv4 Address:</strong> 3.4.0.1<br><strong>Ending IPv4 Address:</strong> 3.4.255.254<br><strong>Custom URI:</strong> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
@ -442,7 +442,7 @@ There are no default locations included with WIP, you must add each of your netw
4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-configmgr-optsettings.png)
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
@ -452,16 +452,16 @@ There are no default locations included with WIP, you must add each of your netw
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png)
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png)
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.
After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png)
![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png)
**To set your optional settings**
1. Choose to set any or all of the optional settings:
@ -478,13 +478,13 @@ After you've decided where your protected apps can access enterprise data on you
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if youre migrating between Mobile Device Management (MDM) solutions.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
- **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you dont specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
- **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
2. After you pick all of the settings you want to include, click **Summary**.
@ -494,12 +494,12 @@ After you've finished configuring your policy, you can review all of your info o
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png)
![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png)
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
## Deploy the WIP policy
After youve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
- [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225)

4
windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
View File

@ -82,7 +82,7 @@ When you create a sensitivity label, you can specify that the label be added to
![Sensitivity labels](images/sensitivity-label-auto-label.png)
A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, drivers license numbers, and so on.
A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on.
You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate.
### Protection
@ -110,7 +110,7 @@ You can see sensitive information types in Microsoft 365 compliance under **Clas
- Auto labelling requires Windows 10, version 1903
- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md)
- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md)

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 11 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 44 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 44 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 121 KiB

After

Width:  |  Height:  |  Size: 121 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 66 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.4 KiB

After

Width:  |  Height:  |  Size: 1.4 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.8 KiB

After

Width:  |  Height:  |  Size: 2.8 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 46 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 40 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 46 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 49 KiB

After

Width:  |  Height:  |  Size: 49 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

2
windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md → windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
View File

@ -28,6 +28,6 @@ Microsoft Endpoint Configuration Manager helps you create and deploy your enterp
## In this section
|Topic |Description |
|------|------------|
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |

4
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Create work documents in enterprise-allowed apps.</td>
<td><strong>For desktop:</strong><br><br>
<ul>
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-sccm.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-configmgr.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
</ul>
<strong>For mobile:</strong><br><br>
<ol>
@ -113,7 +113,7 @@ You can try any of the processes included in these scenarios, but you should foc
<ol>
<li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li>
<li>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon.</li>
<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the users context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
</ol>
</td>
</tr>

6
windows/security/threat-protection/TOC.md
View File

@ -27,7 +27,7 @@
### [Threat & Vulnerability Management]()
#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Configuration score](microsoft-defender-atp/configuration-score.md)
#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
@ -443,7 +443,7 @@
### [Configure integration with other Microsoft solutions]()
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
## Reference
@ -583,7 +583,7 @@
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)

3
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -26,7 +26,6 @@ Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://
Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies.
<br><br>
![String of images showing scores](./images/Transparency-report-November1.png)
**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)**
@ -54,7 +53,7 @@ The AV-TEST Product Review and Certification Report tests on three categories: p
- September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
### AV-Comparatives: Protection rating of 99.9% in the latest test
### AV-Comparatives: Protection rating of 99.6% in the latest test
Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.

64
windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
View File

@ -1,7 +1,7 @@
---
title: Configure HP ArcSight to pull Microsoft Defender ATP detections
description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center
keywords: configure hp arcsight, security information and events management tools, arcsight
title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center
keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Configure HP ArcSight to pull Microsoft Defender ATP detections
# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
**Applies to:**
@ -28,14 +28,15 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections.
You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
This section guides you in getting the necessary information to set and use the required configuration files correctly.
@ -50,7 +51,7 @@ This section guides you in getting the necessary information to set and use the
- WDATP-connector.properties
- WDATP-connector.jsonparser.properties
You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization.
You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization.
- Make sure you generate the following tokens and have them ready:
- Access token
@ -58,7 +59,8 @@ This section guides you in getting the necessary information to set and use the
You can generate these tokens from the **SIEM integration** setup section of the portal.
## Install and configure HP ArcSight FlexConnector
## Install and configure Micro Focus ArcSight FlexConnector
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
@ -79,8 +81,9 @@ The following steps assume that you have completed all the required steps in [Be
- WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
NOTE:
You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
> [!NOTE]
>
> You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
@ -114,30 +117,36 @@ The following steps assume that you have completed all the required steps in [Be
</td>
</tr>
</tr>
</table><br/>7. A browser window is opened by the connector. Login with your application credentials. After you log in, you&#39;ll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. </br></br>
If the <code>redirect_uri</code> is a https URL, you&#39;ll be redirected to a URL on the local host. You&#39;ll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You&#39;ll need to trust this certificate if the redirect_uri is a https. </br></br> If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
</table><br/>
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
If the <code>redirect_uri</code> is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
13. Select **Install as a service** and click **Next**.
13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
14. Select **Install as a service** and click **Next**.
15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
16. Finish the installation by selecting **Exit** and **Next**.
16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
17. Finish the installation by selecting **Exit** and **Next**.
## Install and configure the Micro Focus ArcSight console
## Install and configure the HP ArcSight console
1. Follow the installation wizard through the following tasks:
- Introduction
- License Agreement
@ -158,18 +167,19 @@ The following steps assume that you have completed all the required steps in [Be
7. Click **Done** to quit the installer.
8. Login to the HP ArcSight console.
8. Login to the Micro Focus ArcSight console.
9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
You can now run queries in the HP ArcSight console.
You can now run queries in the Micro Focus ArcSight console.
Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
## Troubleshooting HP ArcSight connection
## Troubleshooting Micro Focus ArcSight connection
**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
**Symptom:** You get the following error message:
@ -177,7 +187,9 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof
`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
**Solution:**
1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
`reauthenticate=true`.

3
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -102,7 +102,8 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
## Enable access to Microsoft Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list.
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
> [!NOTE]
> settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.<br>

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 80 KiB

After

Width:  |  Height:  |  Size: 80 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 51 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 96 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 61 KiB

After

Width:  |  Height:  |  Size: 61 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 53 KiB

After

Width:  |  Height:  |  Size: 53 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 83 KiB

After

Width:  |  Height:  |  Size: 83 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 42 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 83 KiB

After

Width:  |  Height:  |  Size: 83 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 150 KiB

Some files were not shown because too many files have changed in this diff Show More