deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'atp-rs5' of https://cpubwin.visualstudio.com/_git/it-client into atp-rs5

Browse Source
This commit is contained in:
Joey Caparas 2018-08-30 15:15:29 -07:00
commit c0e999a792
18 changed files with 152 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 04/12/2018
ms.date: 08/30/2018
ms.localizationpriority: medium
---
@ -145,17 +145,17 @@ To enable Skype for Business online, your tenant users must have Exchange mailbo
| --- | --- | --- | --- |
| Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL |
| Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL |
| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with PSTN Conferencing</br></br>**Note** PSTN consumption billing is optional | E1 or E3 with PSTN Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL |
| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Cloud PBX and a PSTN Voice Calling plan | E1 or E3 with Cloud PBX and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL |
| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with Audio Conferencing</br></br>**Note** PSTN consumption billing is optional | E1 or E3 with Audio Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL |
| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Phone System and a PSTN Voice Calling plan | E1 or E3 with Phone System and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL |
The following table lists the Office 365 plans and Skype for Business options.
| O365 Plan | Skype for Business | Cloud PBX | PSTN Conferencing | PSTN Calling |
| O365 Plan | Skype for Business | Phone System | Audio Conferencing | Calling Plans |
| --- | --- | --- | --- | --- |
| O365 Business Essentials | Included | | | |
| O365 Business Premium | Included | | | |
| E1 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) |
| E3 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) |
| E1 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) |
| E3 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) |
| E5 | Included | Included | Included | Add-on |
1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment.
@ -190,7 +190,7 @@ The following table lists the Office 365 plans and Skype for Business options.
- Click **Licenses**.
- In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
- In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub.
- Click **Save**.
@ -291,7 +291,8 @@ Use this procedure if you use Exchange online.
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
>[!IMPORTANT]
>Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
![Image showing password dialog box.](images/hybriddeployment-02a.png)

3
devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
View File

@ -107,7 +107,8 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
 ## Disable anonymous email and IM
>[!WARNING]
>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account.

8
store-for-business/release-history-microsoft-store-business-education.md
View File

@ -8,7 +8,7 @@ ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.date: 07/31/2018
ms.date: 08/29/2018
---
# Microsoft Store for Business and Education release history
@ -17,6 +17,9 @@ Microsoft Store for Business and Education regularly releases new and improved f
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
## July 2018
- Bug fixes and permformance improvements.
## June 2018
- **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection.
- **Performance improvements in private store** - We continue to work on performance improvements in the private store. Now, most products new to your inventory are available in your private store within 15 minutes of adding them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)
@ -44,15 +47,12 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store
- **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role.
## December 2017
- Bug fixes and permformance improvements.
## November 2017
- **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file.
## October 2017
- Bug fixes and permformance improvements.
## September 2017

12
store-for-business/whats-new-microsoft-store-business-education.md
View File

@ -8,7 +8,7 @@ ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.date: 07/31/2018
ms.date: 08/29/2018
---
# What's new in Microsoft Store for Business and Education
@ -17,9 +17,10 @@ Microsoft Store for Business and Education regularly releases new and improved f
## Latest updates for Store for Business and Education
**July 2018**
Weve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new feature
**August 2018**
| | |
|-----------------------|---------------------------------|
| ![Private store performance icon](images/perf-improvement-icon.png) |**App requests**<br /><br /> People in your organization can make requests for apps that they need. They can also request them on behalf of other people. Admins review requests and can decide on purchases. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
<!---
Weve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
@ -33,6 +34,9 @@ Weve been working on bug fixes and performance improvements to provide you a
## Previous releases and updates
[July 2018](release-history-microsoft-store-business-education.md#july-2018)
- Bug fixes and performance improvements
[June 2018](release-history-microsoft-store-business-education.md#june-2018)
- Change order within private store collection
- Performance improvements in private store

41
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/21/2018
ms.date: 08/27/2018
---
# EnterpriseModernAppManagement CSP
@ -127,8 +127,7 @@ Parameters:
</ul>
</li>
<li>User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed.</li>
</ul>
</ul>
Supported operation is Execute.
@ -164,6 +163,39 @@ Required. Used for managing apps from the Microsoft Store.
Supported operations are Get and Delete.
<a href="" id="appmanagement-releasemanagement"></a>**AppManagement/AppStore/ReleaseManagement**
Added in Windows 10, next major version. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
> [!Note]
> ReleaseManagement settings only apply to updates through the Microsoft Store.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
Added in Windows 10, next major version. Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-channelid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**
Added in Windows 10, next major version. Specifies the app channel ID.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-releasemanagementid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId**
Added in Windows 10, next major version. The IT admin can specify a release ID to indicate a specific release they would like the user or device to be on.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease**
Added in Windows 10, next major version. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease-channelid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId**
Added in Windows 10, next major version. Returns the last user channel ID on the device.
Value type is string. Supported operation is Get.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease-releasemanagementid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId**
Added in Windows 10, next major version. Returns the last user release ID on the device.
Value type is string. Supported operation is Get.
<a href="" id="----packagefamilyname"></a>**.../****_PackageFamilyName_**
Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
@ -222,8 +254,6 @@ Required. Architecture of installed package. Value type is string.
> [!Note]
> Not applicable to XAP files.
 
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-installlocation"></a>**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
@ -231,7 +261,6 @@ Required. Install location of the app on the device. Value type is string.
> [!Note]
> Not applicable to XAP files.
 
Supported operation is Get.

6
windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/23/2018
ms.date: 07/27/2018
---
# EnterpriseModernAppManagement DDF
@ -580,7 +580,7 @@ The XML below is for Windows 10, next major version.
</DFProperties>
</Node>
<Node>
<NodeName>ReleaseId</NodeName>
<NodeName>ReleaseManagementId</NodeName>
<DFProperties>
<AccessType>
<Get />
@ -642,7 +642,7 @@ The XML below is for Windows 10, next major version.
</DFProperties>
</Node>
<Node>
<NodeName>ReleaseId</NodeName>
<NodeName>ReleaseManagementId</NodeName>
<DFProperties>
<AccessType>
<Get />

BIN
windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 132 KiB

After

Width:  |  Height:  |  Size: 134 KiB

41
windows/client-management/mdm/networkproxy-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/08/2018
ms.date: 08/29/2018
---
# NetworkProxy CSP
@ -31,44 +31,53 @@ The following diagram shows the NetworkProxy configuration service provider in t
![networkproxy csp](images/provisioning-csp-networkproxy.png)
<a href="" id="networkproxy"></a>**./Vendor/MSFT/NetworkProxy**
The root node for the NetworkProxy configuration service provider..</p>
The root node for the NetworkProxy configuration service provider..
<a href="" id="proxysettingsperuser"></a>**ProxySettingsPerUser**
Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide.
Supported operations are Add, Get, Replace, and Delete.
> [!Note]
> Per user proxy configuration setting is not supported.
<a href="" id="autodetect"></a>**AutoDetect**
Automatically detect settings. If enabled, the system tries to find the path to a PAC script.</p>
Valid values:</p>
Automatically detect settings. If enabled, the system tries to find the path to a PAC script.
Valid values:
<ul>
<li>0 - Disabled</li>
<li>1 (default) - Enabled</li>
</ul>
The data type is int. Supported operations are Get and Replace.</p>
The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.
<a href="" id="setupscripturl"></a>**SetupScriptUrl**
Address to the PAC script you want to use.</p>
The data type is string. Supported operations are Get and Replace.</p>
Address to the PAC script you want to use.
The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.
<a href="" id="proxyserver"></a>**ProxyServer**
Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.</p>
Supported operation is Get.</p>
Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.
Supported operation is Get.
<a href="" id="proxyaddress"></a>**ProxyAddress**
Address to the proxy server. Specify an address in the format &lt;server&gt;[“:”&lt;port&gt;]. </p>
The data type is string. Supported operations are Get and Replace.</p>
Address to the proxy server. Specify an address in the format &lt;server&gt;[“:”&lt;port&gt;]. 
The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.
<a href="" id="exceptions"></a>**Exceptions**
Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries. </p>
The data type is string. Supported operations are Get and Replace.</p>
Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries. 
The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.
<a href="" id="useproxyforlocaladdresses"></a>**UseProxyForLocalAddresses**
Specifies whether the proxy server should be used for local (intranet) addresses. </p>
Valid values:</p>
Specifies whether the proxy server should be used for local (intranet) addresses. 
Valid values:
<ul>
<li>0 (default) - Do not use proxy server for local addresses</li>
<li>1 - Use proxy server for local addresses</li>
</ul>
The data type is int. Supported operations are Get and Replace.</p>
The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.

18
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/14/2018
ms.date: 08/27/2018
---
# What's new in MDM enrollment and management
@ -1419,6 +1419,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Privacy/DisablePrivacyExperience</li>
<li>Privacy/UploadUserActivities</li>
<li>Security/RecoveryEnvironmentAuthentication</li>
<li>System/AllowDeviceNameInDiagnosticData</li>
<li>System/ConfigureMicrosoft365UploadEndpoint</li>
<li>System/DisableDeviceDelete</li>
<li>System/DisableDiagnosticDataViewer</li>
<li>Storage/RemovableDiskDenyWriteAccess</li>
<li>TaskManager/AllowEndTask</li>
<li>Update/EngagedRestartDeadlineForFeatureUpdates</li>
<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates</li>
@ -1457,7 +1462,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</td></tr>
<tr>
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node AllowStandardUserEncryption in Windows 10, next major version.</p>
<td style="vertical-align:top"><p>Added a new node AllowStandardUserEncryption in Windows 10, next major version. Added support for Windows 10 Pro.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[DevDetail CSP](devdetail-csp.md)</td>
@ -1768,6 +1773,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Added support for Windows 10 Pro starting in the next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added FinalStatus setting in Windows 10, next major version.</p>
</td></tr>
@ -1814,6 +1823,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Privacy/AllowCrossDeviceClipboard</li>
<li>Privacy/DisablePrivacyExperience</li>
<li>Privacy/UploadUserActivities</li>
<li>System/AllowDeviceNameInDiagnosticData</li>
<li>System/ConfigureMicrosoft365UploadEndpoint</li>
<li>System/DisableDeviceDelete</li>
<li>System/DisableDiagnosticDataViewer</li>
<li>Storage/RemovableDiskDenyWriteAccess</li>
<li>Update/UpdateNotificationLevel</li>
</ul>
<p>Start/DisableContextMenus - added in Windows 10, version 1803.</p>

21
windows/client-management/mdm/policy-csp-update.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/10/2018
ms.date: 08/29/2018
---
# Policy CSP - Update
@ -715,6 +715,8 @@ The following list shows the supported values:
<!--Description-->
For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled.
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
Value type is integer. Default is 7 days.
Supported values range: 2-30.
@ -781,6 +783,8 @@ ADMX Info:
<!--Description-->
For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled.
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
Value type is integer. Default is 7 days.
Supported values range: 2-30.
@ -1503,6 +1507,11 @@ The following list shows the supported values:
<!--Description-->
For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
> [!Note]
> This policy is related to the default values for Update/EngagedRestartTransitionSchedule (default - 3 days) and Update/EngagedRestartSnoozeSchedule (default - 7 days). The default values for these two policies will be used unless these are set to other values.
Value type is integer. Default is 14.
Supported value range: 2 - 30.
@ -1757,11 +1766,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Value type is integer.
Value type is integer. Default value is 7 days.
Supported value range: 0 - 30.
Supported value range: 0 - 30.
If you disable or do not configure this policy, the default behaviors will be used.
@ -1822,7 +1831,7 @@ ADMX Info:
<!--Description-->
For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Value type is integer.
Value type is integer. Default value is 7 days.
Supported value range: 0 - 30.
@ -3324,6 +3333,8 @@ ADMX Info:
<!--Description-->
Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:

3
windows/client-management/mdm/policy-ddf-file.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/09/2018
ms.date: 08/29/2018
---
# Policy DDF file
@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy*
You can download the DDF files from the links below:
- [Download the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1803 release C](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml)
- [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)

17
windows/configuration/windows-spotlight.md
View File

@ -58,15 +58,18 @@ To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization
Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers.
>[!NOTE]
>These policies are in the **User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content** path in the Group Policy Management Console, and in the **User Configuration \Administrative Templates\Windows Components\Cloud Content** path in the Local Group Policy Editor.
| Group Policy | MDM | Description | Applies to |
| --- | --- | --- | --- |
| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later |
| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later |
| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later |
| **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 |
| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 |
| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 |
**User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 |
| **Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later |
| **Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later |
| **Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later |
| **Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 |
| **Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 |
| **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 |
**Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 |

2
windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
View File

@ -15,7 +15,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows 10 credential theft mitigation guide.docx).
This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
- Identify high-value assets

2
windows/security/threat-protection/auditing/event-4713.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
: Mir0sh
author: Mir0sh
ms.date: 04/19/2017
---

26
windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -6,37 +6,37 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: mdsakibMSFT
ms.date: 08/23/2018
ms.date: 08/2/2018
---
# Device Guard: Windows Defender Application Control Configurable Code Integrity and Virtualization-based security
# Device Guard: Windows Defender Application Control and Virtualization-based security
**Applies to**
- Windows 10
- Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
Configurable CI and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. Starting with the Windows 10 Anniversary Update (1607), this combined "configuration state" of Configurable CI and HVCI has been referred to as Windows Defender Device Guard.
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been referred to as Windows Defender Device Guard.
Using Configurable CI to restrict devices to only autherized apps has these advantages over other solutions:
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
1. Configurable CI policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable CI allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable CI policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organizations digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable CI enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? Thats because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable CI or any other application control solution.
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organizations digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? Thats because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
## (Re-)Introducing Windows Defender Application Control
When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable CI and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together.
When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable code integrity and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together.
However, the use of the term Device Guard to describe this configuration state has unintentionally left an impression for many IT professionals that the two features were inexorably linked and could not be deployed separately.
Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems cant meet.
As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldnt use configurable CI either.
But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldnt use configurable code integrity either.
But configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable CI as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
We hope this change will help us better communicate options for adopting application control within an organization.
Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device Guard will continue to be used as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original "Device Guard" locked down scenario for Windows 10 based devices.

4
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -39,8 +39,8 @@ The below scores are the results of AV-TEST's evaluations on **Windows Defender
|Month (2018)|Real-World test score| Prevalent malware test score | AV-TEST report| Microsoft analysis|
|---|---|---|---|---|
|January| 100.00%| 99.92%| [Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)|
|February| 100.00% | 100.00%|[Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)|
|January| 100.00%| 99.92%| [Report (Jan-Feb)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)|
|February| 100.00% | 100.00%|[Report (Jan-Feb)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)|
March |98.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)|
April|100.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)|
May|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) |[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) <sup>**Latest**</sup>|

8
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -38,10 +38,10 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Professional, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Professional, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Professional, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Professional, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803<br><br>(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.<br><br>**Note**<br>This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.|

2
windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
View File

@ -49,7 +49,7 @@ Before you can install and use Windows Defender Application Guard, you must dete
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
- Windows 10 Pro edition, version 1803
Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario.